-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72642/
-----------------------------------------------------------
(Updated 七月 6, 2020, 2:21 a.m.)
Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay
Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep
Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2893
https://issues.apache.org/jira/browse/RANGER-2893
Repository: ranger
Description
-------
When we enable Ranger Hive plugin, show grant at the database level will fail,
and throw the exception "RangerHiveAuthorizer.showPrivileges() only supports
SHOW PRIVILEGES for Hive resources and not user level". Although we are not
showing grants at the user level, but at the database level.
For example,
```sql
show grant on database default;
```
and the exception,
```bash
ERROR : FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask. RangerHiveAuthorizer.showPrivileges()
error: RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES for
Hive resources and not user level
```
The reason is that the parameter privObj.objectName passed to
RangerHiveAuthorizer.showPrivileges is null when show grant at the datatabase
level, and the exception "RangerHiveAuthorizer.showPrivileges() only supports
SHOW PRIVILEGES for Hive resources and not user level" will be thrown when
objectName is null. The function is normal when the type of privObj is TABLE,
because the dbName is the db name and the objectName is the table name.
We should check whether the dbName is null instead of check the objectName. We
alse need to fix the objectName to "*" when it is null to represent all tables
in the db in HivePrivilegeInfo.
Diffs (updated)
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
c8761108b
Diff: https://reviews.apache.org/r/72642/diff/2/
Changes: https://reviews.apache.org/r/72642/diff/1-2/
Testing
-------
show grant on database will correctly display privileges, and display '*' in
table column to represent all tables in a db.
```bash
SHOW GRANT on database default;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
| database | table | partition | column | principal_name | principal_type
| privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
| default | * | [] | [] | hadoop | USER
| ALTER | true | 0 | ranger |
| default | * | [] | [] | hadoop | USER
| CREATE | true | 0 | ranger |
| default | * | [] | [] | hadoop | USER
| DROP | true | 0 | ranger |
| default | * | [] | [] | hadoop | USER
| INDEX | true | 0 | ranger |
| default | * | [] | [] | hadoop | USER
| LOCK | true | 0 | ranger |
| default | * | [] | [] | hadoop | USER
| READ | true | 0 | ranger |
| default | * | [] | [] | hadoop | USER
| SELECT | true | 0 | ranger |
| default | * | [] | [] | hadoop | USER
| UPDATE | true | 0 | ranger |
| default | * | [] | [] | hadoop | USER
| WRITE | true | 0 | ranger |
| default | * | [] | [] | hue | USER
| SELECT | false | 0 | ranger |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+
```
Thanks,
Jiayi Liu
