----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74581/#review225719 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On Sept. 5, 2023, 8:50 a.m., Mugdha Varadkar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74581/ > ----------------------------------------------------------- > > (Updated Sept. 5, 2023, 8:50 a.m.) > > > Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Mehul Parikh, and > Nikunj Pansuriya. > > > Bugs: RANGER-4392 > https://issues.apache.org/jira/browse/RANGER-4392 > > > Repository: ranger > > > Description > ------- > > Steps to reproduce : > > Precondition > > 1. Hive table with name "testtable1_polcond" exists with tag with attributes > expire_date, and name. Expiry date is in the future, and name has value: > "hivetag". > 2. A ranger tag-based policy exists with "Accessed after expiry_date": no, > and the following boolean expression: > > ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag"); > > providing access to user test_user > > Test steps > > 1. As user test_user in beeline, execute: > > select * from testdb1_polcond.testtable1_polcond; > > Expected behavior: Query should be executed successfully as tag based policy > provides access. > > Actual behavior : Permisson denied. In hive logs, the following is seen: > > 2023-08-28 11:43:34,716 INFO org.apache.hadoop.hive.ql.Driver: > [a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q > ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * > from testdb1_polcond.testtable1_polcond > > > 2023-08-28 11:43:34,944 ERROR > org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: > [a95535bb-6daf-466b-9464-fe505f224a0b etp5 > 97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to > evaluate script, exception=javax.script.ScriptException: org.graalvm > .polyglot.PolyglotException: SyntaxError: <eval>:1:66 Expected , but found eof > exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82" > > > Policy condition response : > curl -u 'admin:Admin123' > 'https://test-leyqrl-1.test-leyqrl.root.hwx.site:6182/service/plugins/policies/102' > \ > -H 'Accept: application/json, text/plain, {*}/{*}' \ > --insecure > > In the resulting json, the value for the policy condition is the following: > "conditions": [ > { > "type": "accessed-after-expiry", > "values": [ > "no" > ] > }, > { > "type": "expression", > "values": [ > "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"", > "\"name\").equals(\"hivetag\");" > ] > } > ], > > It looks as if Ranger Admin would split the content of the "expression" field > along the comma, and that's what leads to syntax error in hive logs. > > > Diffs > ----- > > security-admin/src/main/webapp/react-webapp/src/components/Editable.jsx > 75f7fcff1199345df593ed97c5b7cf0beebd3aca > > security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/AddUpdatePolicyForm.jsx > 51df2e378a7415936317c6463b4413293e0a9c4c > > security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/PolicyConditionsComp.jsx > 32d80280984e550027c34c41bda46fda7d5bf07f > > > Diff: https://reviews.apache.org/r/74581/diff/1/ > > > Testing > ------- > > Tested changes on a cluster setup with Ranger Admin build with React JS code > base. > > Verified below policy condition getting saved correctly from Ranger Admin UI. > ``` > ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag"); > ``` > > > Successful completion of build command : > mvn clean compile package -Psecurity-admin-react > > > Thanks, > > Mugdha Varadkar > >
