[
https://issues.apache.org/jira/browse/RANGER-2976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17187459#comment-17187459
]
Janus Chow commented on RANGER-2976:
------------------------------------
[~rmani], Ranger should check the permission for files under
"hdfs://test/testdir", and it is OK to deny the request if the user don't have
the permission to write the file.
The problem is when ranger check the permission of the file, take
"{color:#172b4d}hdfs:{color}{color:#172b4d}//test/testDir/part-00000-db98bf17-bda6-4da9-9ea4-d7c75e8d995e-c000.snappy.parquet"
for example, Ranger need user to have "rwx" on the file when the FsAction is
defined "ALL", but for files user only need the permission of "rw-", the
"execute" permission shouldn't be checked for files.{color}
If you are concerned with the permission check of directories, as I said in the
description, HDFS will add the "EXECUTE" check if the target is a "Directory".
> User can not create external table in Hive Plugin
> -------------------------------------------------
>
> Key: RANGER-2976
> URL: https://issues.apache.org/jira/browse/RANGER-2976
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.0.0
> Reporter: Janus Chow
> Priority: Major
> Attachments: RANGER-2976.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> A user "userA" want's to create an external table on "hdfs://test/testDir"
> via Hive Metastore installed Ranger Hive plugin. Permission information is as
> follows.
> {code:java}
> # id userA
> uid=3044(userA) gid=3044(userA) groups=992(supergroup)
> # hadoop fs -ls hdfs://test
> drwxrwxr-x - userB supergroup 0 2019-01-01 00:00
> hdfs://test/testDir
> # hadoop fs -ls hdfs://test/testDir
> -rw-rw-r-- 3 userB supergroup 1000000 2019-01-01 00:00
> hdfs://test/testDir/part-00000-db98bf17-bda6-4da9-9ea4-d7c75e8d995e-c000.snappy.parquet{code}
> When "userA" is trying to create an external table on "hdfs://test/testDir"
> with the following command,
> {code:java}
> spark.sql("create table userA_test USING org.apache.spark.sql.parquet OPTIONS
> ( path = 'hdfs://test/testDir')")
> {code}
> Ranger denied the operation with the following error message.
> {code:java}
> org.apache.hadoop.hive.ql.metadata.HiveException:
> MetaException(message:Permission denied: user [userA] does not have [ALL]
> privilege on [hdfs://test/testDir])
> {code}
> The reason is when Ranger is checking URI permission, it will check if the
> user has FSAction.ALL on the URI if "userA" is not the owner of the HDFS
> path, but HDFS file will not set the execution permission by default, so the
> Ranger permission check will return false.
> I think in the getURIAccessType function in RangerHiveAuthorizer, we should
> return FSAction.READ_WRITE instead of FSAction.ALL. For HDFS directory,
> Hadoop will help us to add FSAction.EXECUTE when we are trying to do the
> permission check, we can skip FSAction.EXECUTE here to work well with HDFS
> files.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
