tooptoop4 edited a comment on issue #36: [RANGER-2395] Add Presto plugin URL: https://github.com/apache/ranger/pull/36#issuecomment-570348580 some fixes: https://github.com/apache/ranger/blob/master/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java#L130 change checkCanSetSystemSessionProperty to have a dummy IF condition that always results in false so that session properties are never denied https://github.com/apache/ranger/blob/master/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java#L116 change checkCanSetUser to have an IF condition (principal does not equal userName) then accessDenied. This is critical so that users can't impersonate the privileges of another user public void checkCanSetUser(final Optional<Principal> principal, final String userName) { final String loweruserName = userName.toLowerCase(); RangerSystemAccessControl.LOG.info("==> RangerSystemAccessControl.checkCanSetUser(userName=" + loweruserName + ")"); if (principal.isPresent()) { final String principalName = principal.get().getName().toLowerCase(); RangerSystemAccessControl.LOG.info("==> RangerSystemAccessControl.checkCanSetUser(principalName=" + principalName + ")"); if (!loweruserName.equals(principalName)) { AccessDeniedException.denySetUser((Optional)principal, userName); } } } https://github.com/prestodb/presto/issues/13394 remove deny in presto code
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
