[ranger] branch ranger-2.2 updated: RANGER-3350: Ranger HivePluginAuthorizer SHOW CURRENT ROLES not fetching the role set in current hive beeline session

Wed, 08 Sep 2021 09:16:46 -0700 

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.2 by this push:
     new a3a553d  RANGER-3350: Ranger HivePluginAuthorizer SHOW CURRENT ROLES 
not fetching the role set in current hive beeline session
a3a553d is described below

commit a3a553d753af2eff846f1f6fd23eb4f6352cbd75
Author: Ramesh Mani <rm...@cloudera.com>
AuthorDate: Tue Aug 17 21:58:03 2021 -0700

    RANGER-3350: Ranger HivePluginAuthorizer SHOW CURRENT ROLES not fetching 
the role set in current hive beeline session
    
    Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
 .../hive/authorizer/RangerHiveAuthorizer.java      | 26 ++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 8621f73..7558034 100644
--- 
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ 
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -127,6 +127,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
        private String currentUserName;
        private Set<String> currentRoles;
        private String adminRole;
+       private boolean isCurrentRoleSet = false;
 
        public RangerHiveAuthorizer(HiveMetastoreClientFactory 
metastoreClientFactory,
                                                                  HiveConf      
             hiveConf,
@@ -310,12 +311,14 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                if (ROLE_NONE.equalsIgnoreCase(roleName)) {
                        // for set role NONE, clear all roles for current 
session.
                        currentRoles.clear();
+                       isCurrentRoleSet = true;
                        return;
                }
                if (ROLE_ALL.equalsIgnoreCase(roleName)) {
                        // for set role ALL, reset roles to default roles.
                        currentRoles.clear();
                        currentRoles.addAll(getCurrentRoleNamesFromRanger());
+                       isCurrentRoleSet = true;
                        return;
                }
                for (String role : getCurrentRoleNamesFromRanger()) {
@@ -323,6 +326,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                        if (role.equalsIgnoreCase(roleName)) {
                                currentRoles.clear();
                                currentRoles.add(role);
+                               isCurrentRoleSet = true;
                                return;
                        }
                }
@@ -330,6 +334,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                if (ROLE_ADMIN.equalsIgnoreCase(roleName) && null != 
this.adminRole) {
                        currentRoles.clear();
                        currentRoles.add(adminRole);
+                       isCurrentRoleSet = true;
                        return;
                }
                LOG.info("Current user : " + currentUserName + ", Current Roles 
: " + currentRoles);
@@ -3011,7 +3016,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
 
        private Set<String> getCurrentRoles() {
                // from SQLStdHiveAccessController.getCurrentRoles()
-               initUserRoles();
+               getCurrentRoleForCurrentUser();
                return currentRoles;
        }
 
@@ -3037,6 +3042,21 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
                LOG.info("Current user : " + currentUserName + ", Current Roles 
: " + currentRoles);
        }
 
+       private void getCurrentRoleForCurrentUser() {
+               if (isCurrentRoleSet) {
+                       // current session has a role set, so no need to fetch 
roles.
+                       return;
+               }
+               String newUserName = getHiveAuthenticator().getUserName();
+               this.currentUserName = newUserName;
+               try {
+                       currentRoles = getCurrentRoleNamesFromRanger();
+               } catch (HiveAuthzPluginException e) {
+                       LOG.error("Error while fetching roles from ranger for 
user : " + currentUserName, e);
+               }
+               LOG.info("Current user : " + currentUserName + ", Current Roles 
: " + currentRoles);
+       }
+
        private Set<String> getCurrentRolesForUser(String user, Set<String> 
groups) {
                if (LOG.isDebugEnabled()) {
                        LOG.debug("==> 
RangerHiveAuthorizer.getCurrentRolesForUser()");
@@ -3044,9 +3064,7 @@ public class RangerHiveAuthorizer extends 
RangerHiveAuthorizerBase {
 
                Set<String>  ret  = hivePlugin.getRolesFromUserAndGroups(user, 
groups);
 
-               if (CollectionUtils.isNotEmpty(ret) && 
CollectionUtils.isNotEmpty(currentRoles) && ret.containsAll(currentRoles)) {
-                       ret = currentRoles;
-               }
+               ret = (isCurrentRoleSet) ? currentRoles : ret;
 
                if (LOG.isDebugEnabled()) {
                        LOG.debug("<== 
RangerHiveAuthorizer.getCurrentRolesForUser() User: " + currentUserName + ", 
User Roles: " + ret);

Reply via email to