[
https://issues.apache.org/jira/browse/RANGER-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Qiang Zhang updated RANGER-1712:
--------------------------------
Attachment: 0001-RANGER-1712-Hive-table-was-not-inserted-data-after-u.patch
Access.png
masking.png
> Hive table was not inserted data after user created Hive Masking policy.
> ------------------------------------------------------------------------
>
> Key: RANGER-1712
> URL: https://issues.apache.org/jira/browse/RANGER-1712
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Reporter: Qiang Zhang
> Assignee: Qiang Zhang
> Priority: Critical
> Labels: patch
> Attachments:
> 0001-RANGER-1712-Hive-table-was-not-inserted-data-after-u.patch, Access.png,
> masking.png
>
>
> The RANGER-1578 issue used following logic in RangerHiveAuthorizer class.
> segment 1:
> if (isDataMaskEnabled(dataMaskResult)) {
> if(result == null) {
> result = new RangerAccessResult(dataMaskResult.getServiceName(),
> dataMaskResult.getServiceDef(), request);
> }
>
> result.setIsAllowed(false); //set false
> result.setPolicyId(dataMaskResult.getPolicyId());
> result.setReason("User does not have acces to unmasked column values");
> }
> segment 2:
> if(result == null || !result.getIsAllowed()) { //result.getIsAllowed() must
> equal to false. So the logic is error. The program logic will always go to
> the following code segment.
> String path = resource.getAsString();
> path = (path == null) ? "Unknown resource!!" :
> buildPathForException(path, hiveOpType);
> throw new HiveAccessControlException(String.format("Permission denied:
> user [%s] does not have [%s] privilege on [%s]",
> user, request.getHiveAccessType().name(), path));
> }
> The error reason is as following:
> The result.setIsAllowed(false) was call in segment 1. So The
> result.getIsAllowed() must equal to false. This is a error.
> 1.Scenarios
> create database cust;
> use cust;
> create table customer(id int,name_first string,name_last string,addr_country
> string, data_of_birth date, phone_num string)ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS TEXTFILE;
> insert into customer
> values(1,'Mackenzy','Smith','US','1993-12-18','123-456-7890');
> Result:insert sucess
> 1):First create hive Access policy users:mr have acess to all privilege to
> database(cust) and table(customer) and columns(*); (see Acess.png in detail)
>
> insert into customer
> values(2,'Tom','Jacks','DE','1995-12-18','456-7890-123');
>
> Result:insert sucess
>
> 2)Second create Masking policy on cust.customer.name_first (see Masking.png
> in detail)
> insert into customer
> values(3,'Lucy','David','DE','1999-11-18','356-1230-189');
> Result: Error: Error while compiling statement: FAILED:
> HiveAccessControlException Permission denied: user [glc] does not have
> [UPDATE] privilege on [cust/customer] (state=42000,code=40000)
>
> 3.Solution:
> Modify RangerHiveAuthorizer.java
> change from "result.setIsAllowed(false);
>
> result.setPolicyId(dataMaskResult.getPolicyId());
> result.setReason("User
> does not have acces to unmasked column values");"
> to
> "result.setIsAllowed(dataMaskResult.getIsAllowed());
>
> result.setPolicyId(dataMaskResult.getPolicyId());
>
> if(!dataMaskResult.getIsAllowed()){
> result.setReason("User
> does not have acces to unmasked column values");
> }"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
