[
https://issues.apache.org/jira/browse/RANGER-3193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
sneha_surjuse reassigned RANGER-3193:
-------------------------------------
Assignee: sneha_surjuse
> create view as select is denied if the view and select table are in different
> schemas
> -------------------------------------------------------------------------------------
>
> Key: RANGER-3193
> URL: https://issues.apache.org/jira/browse/RANGER-3193
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.1.0
> Environment: Ranger 2.1.0, prestosql 350
> Reporter: Harish Kumar M
> Assignee: sneha_surjuse
> Priority: Blocker
> Time Spent: 10m
> Remaining Estimate: 0h
>
> create view as select is denied if the view and table are in different
> schema's(db's), though the identity has valid privilege to create view in
> view owned schema.
> For example :-
> CREATE VIEW db2.view1 AS SELECT col1,col2,col3 from db1.tbl1;
> In the above statement,
> Presto plugin validated two major permission on the Identity.
> 1. check on identity to create view under SCHEMA db2 is valid in the method
> checkCanCreateView
> 2. check the identity to select columns col1,col2,col3 on the table tbl1
> under schema db1 in the method checkCanCreateViewWithSelectFromColumns
> Whereas in Ranger Presto Plugin, In the method
> checkCanCreateViewWithSelectFromColumns check is done on the identity to
> create view on schema db1 instead of check on select columns from table.
> When i check the code RangerSystemAccessControl.java
> {code:java}
> /**
> * This check equals the check for checkCanCreateView
> */
> @Override
> public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext
> context, CatalogSchemaTableName table, Set<String> columns) {
> try {
> checkCanCreateView(context, table);
> } catch (AccessDeniedException ade) {
>
> LOG.debug("RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns("
> + table.getSchemaTableName().getTableName() + ") denied");
>
> AccessDeniedException.denyCreateViewWithSelect(table.getSchemaTableName().getTableName(),
> context.getIdentity());
> }
> }
> {code}
> Ranger checks the identity to create view on selected table schema.
> Due to this, In the below two scenarios identity is checked incorrectly.
> Scenario 1 :-
> Identity has the privilege to create view in view owned schema and identity
> doesn't have privilege to create view in table owned schema. In this
> scenario, identity will be denied for the create view since the create view
> check is on both view and table owned schema.
> Scenario 2 :-
> identity has the privilege to select and create view, but doesn't have
> privilege to select table. In this scenario, identity still can create view
> and select view though identity doesn't have privilege to select table.
> Please help to check this as this is latest Ranger versions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
