Re: Review Request 72642: RANGER-2893: show grant on database xxx will fail in ranger hive plugin

Fri, 03 Jul 2020 10:07:23 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72642/#review221119
-----------------------------------------------------------




hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Line 2551 (original), 2551 (patched)
<https://reviews.apache.org/r/72642/#comment309908>

    Please review if #2391 needs be updated to handle 'objectName==null', 
similar to #2551.
      2391: hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, 
objectName);


- Madhan Neethiraj


On July 3, 2020, 2:28 p.m., Jiayi Liu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72642/
> -----------------------------------------------------------
> 
> (Updated July 3, 2020, 2:28 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep 
> Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2893
>     https://issues.apache.org/jira/browse/RANGER-2893
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When we enable Ranger Hive plugin, show grant at the database level will 
> fail, and throw the exception "RangerHiveAuthorizer.showPrivileges() only 
> supports SHOW PRIVILEGES for Hive resources and not user level". Although we 
> are not showing grants at the user level, but at the database level.
> 
> For example,
> ```sql
> show grant on database default;
> ```
> and the exception,
> ```bash
> ERROR : FAILED: Execution Error, return code 1 from 
> org.apache.hadoop.hive.ql.exec.DDLTask. RangerHiveAuthorizer.showPrivileges() 
> error: RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES 
> for Hive resources and not user level
> ```
> 
> The reason is that the parameter privObj.objectName passed to 
> RangerHiveAuthorizer.showPrivileges is null when show grant at the datatabase 
> level, and the exception "RangerHiveAuthorizer.showPrivileges() only supports 
> SHOW PRIVILEGES for Hive resources and not user level" will be thrown when 
> objectName is null. The function is normal when the type of privObj is TABLE, 
> because the dbName is the db name and the objectName is the table name.
> 
> We should check whether the dbName is null instead of check the objectName. 
> We alse need to fix the objectName to "*" when it is null to represent all 
> tables in the db in HivePrivilegeInfo.
> 
> 
> Diffs
> -----
> 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  c8761108b 
> 
> 
> Diff: https://reviews.apache.org/r/72642/diff/1/
> 
> 
> Testing
> -------
> 
> show grant on database will correctly display privileges, and display '*' in 
> table column to represent all tables in a db.
> ```bash
> SHOW GRANT on database default;
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> | database  | table  | partition  | column  | principal_name  | 
> principal_type  | privilege  | grant_option  | grant_time  | grantor  |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> | default   | *      | []         | []      | hadoop          | USER          
>   | ALTER      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | CREATE     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | DROP       | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | INDEX      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | LOCK       | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | READ       | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | SELECT     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | UPDATE     | true          | 0           | ranger   |
> | default   | *      | []         | []      | hadoop          | USER          
>   | WRITE      | true          | 0           | ranger   |
> | default   | *      | []         | []      | hue             | USER          
>   | SELECT     | false         | 0           | ranger   |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
> ```
> 
> 
> Thanks,
> 
> Jiayi Liu
> 
>

Reply via email to