[ https://issues.apache.org/jira/browse/RANGER-3193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
sneha_surjuse reassigned RANGER-3193: ------------------------------------- Assignee: sneha_surjuse > create view as select is denied if the view and select table are in different > schemas > ------------------------------------------------------------------------------------- > > Key: RANGER-3193 > URL: https://issues.apache.org/jira/browse/RANGER-3193 > Project: Ranger > Issue Type: Bug > Components: plugins > Affects Versions: 2.1.0 > Environment: Ranger 2.1.0, prestosql 350 > Reporter: Harish Kumar M > Assignee: sneha_surjuse > Priority: Blocker > Time Spent: 10m > Remaining Estimate: 0h > > create view as select is denied if the view and table are in different > schema's(db's), though the identity has valid privilege to create view in > view owned schema. > For example :- > CREATE VIEW db2.view1 AS SELECT col1,col2,col3 from db1.tbl1; > In the above statement, > Presto plugin validated two major permission on the Identity. > 1. check on identity to create view under SCHEMA db2 is valid in the method > checkCanCreateView > 2. check the identity to select columns col1,col2,col3 on the table tbl1 > under schema db1 in the method checkCanCreateViewWithSelectFromColumns > Whereas in Ranger Presto Plugin, In the method > checkCanCreateViewWithSelectFromColumns check is done on the identity to > create view on schema db1 instead of check on select columns from table. > When i check the code RangerSystemAccessControl.java > {code:java} > /** > * This check equals the check for checkCanCreateView > */ > @Override > public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext > context, CatalogSchemaTableName table, Set<String> columns) { > try { > checkCanCreateView(context, table); > } catch (AccessDeniedException ade) { > > LOG.debug("RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns(" > + table.getSchemaTableName().getTableName() + ") denied"); > > AccessDeniedException.denyCreateViewWithSelect(table.getSchemaTableName().getTableName(), > context.getIdentity()); > } > } > {code} > Ranger checks the identity to create view on selected table schema. > Due to this, In the below two scenarios identity is checked incorrectly. > Scenario 1 :- > Identity has the privilege to create view in view owned schema and identity > doesn't have privilege to create view in table owned schema. In this > scenario, identity will be denied for the create view since the create view > check is on both view and table owned schema. > Scenario 2 :- > identity has the privilege to select and create view, but doesn't have > privilege to select table. In this scenario, identity still can create view > and select view though identity doesn't have privilege to select table. > Please help to check this as this is latest Ranger versions. -- This message was sent by Atlassian Jira (v8.20.10#820010)