[jira] [Created] (RANGER-1712) Hive table was not inserted data after user created Hive Masking policy.

Tue, 25 Jul 2017 05:31:29 -0700 

Qiang Zhang created RANGER-1712:
-----------------------------------

             Summary: Hive table was not inserted data after user created Hive 
Masking policy.
                 Key: RANGER-1712
                 URL: https://issues.apache.org/jira/browse/RANGER-1712
             Project: Ranger
          Issue Type: Bug
          Components: plugins
            Reporter: Qiang Zhang
            Assignee: Qiang Zhang
            Priority: Critical


The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
segment 1:
if (isDataMaskEnabled(dataMaskResult)) {
    if(result == null) {
        result = new RangerAccessResult(dataMaskResult.getServiceName(), 
dataMaskResult.getServiceDef(), request);
    }
 
    result.setIsAllowed(false);  //set false
    result.setPolicyId(dataMaskResult.getPolicyId());
    result.setReason("User does not have acces to unmasked column values");
}
segment 2:
if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must 
equal to false. So the logic is error.
    String path = resource.getAsString();
    path = (path == null) ? "Unknown resource!!" : buildPathForException(path, 
hiveOpType);
    throw new HiveAccessControlException(String.format("Permission denied: user 
[%s] does not have [%s] privilege on [%s]",
         user, request.getHiveAccessType().name(), path));
}
The error reason is as following:
The result.setIsAllowed(false) was call in segment 1. So The 
result.getIsAllowed() must equal to false. This is a error.


 1.Scenarios 
create database cust; 
use cust; 

create table customer(id int,name_first string,name_last string,addr_country 
string, data_of_birth date, phone_num string)ROW FORMAT DELIMITED
FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;

insert into customer 
values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');

Result:insert sucess

 1):First create hive Access policy  users:mr have acess to all privilege to 
database(cust) and table(customer) and columns(*); (see Acess.png in detail)
 
 insert into customer values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
 
 Result:insert sucess
 
 2)Second create Masking policy on cust.customer.name_first  (see Masking.png 
in detail)
 insert into customer values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
 Result: Error: Error while compiling statement: FAILED: 
HiveAccessControlException Permission  denied: user [glc] does not have 
[UPDATE] privilege on [cust/customer] (state=42000,code=40000)
  
 3.Solution:
 Modify RangerHiveAuthorizer.java 
 change from "result.setIsAllowed(false);
                                                        
result.setPolicyId(dataMaskResult.getPolicyId());
                                                        result.setReason("User 
does not have acces to unmasked column values");"
 to 
 "result.setIsAllowed(dataMaskResult.getIsAllowed());
                                                        
result.setPolicyId(dataMaskResult.getPolicyId());
                                                        
if(!dataMaskResult.getIsAllowed()){
                                                        result.setReason("User 
does not have acces to unmasked column values");
                                                        }"



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to