> On May 8, 2020, 1:21 p.m., bhavik patel wrote: > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > > Lines 321 (patched) > > <https://reviews.apache.org/r/72429/diff/2/?file=2229649#file2229649line323> > > > > Any specific reason for not throwing any Exception.
Added error message there. - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72429/#review220695 ----------------------------------------------------------- On April 24, 2020, 2:17 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72429/ > ----------------------------------------------------------- > > (Updated April 24, 2020, 2:17 p.m.) > > > Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, > Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan > Neethiraj, Mehul Parikh, Nitin Galave, Nixon Rodrigues, Ramesh Mani, Sailaja > Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2763 > https://issues.apache.org/jira/browse/RANGER-2763 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Hive SET Role command is not supported in Ranger hive > plugin > Error message : setCurrentRole() not implemented in Ranger > AbstractHiveAuthorizer > > **Proposed Solution:** Added implementation as per > https://github.com/apache/hive/blob/f37c5de6c32b9395d1b34fa3c02ed06d1bfbf6eb/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L520 > > However user's role list will not be fetched from Hivemetastore, rather it > will be fetched from Ranger admin. > > Note: command "set role" may not generate any audit logs as of now. I could > not test the same as i dont have environment. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java > 89d585a3a > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java > 2a28f701a > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java > ea42c82c1 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java > ee605e869 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 59a04058b > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java > c9514141a > > agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java > b42353b0a > > agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java > 4cca8ce84 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java > e9954c3ca > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > 26c7dfb7c > > hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java > 6461a2467 > > hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java > d304bec81 > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java > 188f2b1b7 > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > a6f74b95e > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java > c752489ef > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHivePolicyProvider.java > ba6b459bb > > plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java > dc2ed8a69 > > plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java > d4521a392 > > ranger-examples/plugin-sampleapp/src/main/java/org/apache/ranger/examples/sampleapp/RangerAuthorizer.java > 6b3d6eae7 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 5e9329133 > > > Diff: https://reviews.apache.org/r/72429/diff/3/ > > > Testing > ------- > > With patch: > 1) Added two roles in ranger admin "admin" and "public" and added hive user > in that. > 2) logged in from hive user in hive cli and executed command "show current > roles" > 3) output received "public" > 4) executed command "set role admin" and command was executed successfully > 5) executed command "show current roles" > 6) output received "admin" > 7) executed command "show roles" > 8) command failed to execute as "hive" is not an admin in Ranger and only > user having "admin" role is ranger-admin can execute that. > > > **Actual behaviour without Ranger ACL Use case :** > > 1) Login from hive user : create two roles let say role1 and role2 > > 2) create one table table1 and insert a record. > > 3) grant select on the table1 to role1 and insert on the table1 to role2 > > 4) create user testuser1 and give both role1 and role2 to user testuser1 > > 5) login from user testuser1 and set role to role1 by using set role command > > 6) execute sql statement to select the records : since role1 is having > select grant user will able to view the records. > > 7) execute insert statement to add a record : since role1 is not having > insert privileges and user has set current role to only role1 he would not > able to insert the records. > > 8) now run the command set role and set the role to role2 > > 9) execute insert statement to add a record : since role2 is having insert > privileges and user has set current role to only role2 he would able to > insert the records. > > 10) execute sql statement to select the records : since role2 is not having > select permissions, user will not able to view the records. > > 11) logout and login again from same user and execute show current role > command , both role should be displayed. > > **With Ranger ACL:** With Ranger ACL also above Use case is same as above. > > > Thanks, > > Pradeep Agrawal > >
