[jira] [Created] (RANGER-4958) [Ranger Trino] Update (merge into) & Procedure failed with Access Denied error (Iceberg catalog)

Mon, 14 Oct 2024 04:25:02 -0700 

Manh Nguyen created RANGER-4958:
-----------------------------------

             Summary: [Ranger Trino] Update (merge into) & Procedure failed 
with Access Denied error (Iceberg catalog)
                 Key: RANGER-4958
                 URL: https://issues.apache.org/jira/browse/RANGER-4958
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Manh Nguyen
         Attachments: Screenshot from 2024-10-14 18-22-47.png

h1. Environment details
 * Hadoop 3.0.0-cdh6.3.2
 * Hive 2.1.1 cdh6.3.2
 * Trino 425
 * ranger-trino-plugin-3.0.0-SNAPSHOT
h1.  
h1. Steps to reproduce
- Iceberg catalog config:
{code:java}
connector.name=iceberg
hive.metastore.uri=thrift://hn-fornix-testing-bigdata-1.ghtklab.local:9083
hive.config.resources=/etc/hadoop/conf/core-site.xml,/etc/hadoop/conf/hdfs-site.xml
hive.metastore.authentication.type=KERBEROS
hive.metastore.service.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.metastore.client.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.metastore.client.keytab=/etc/security/keytabs/hive/hive_thrift.keytab
hive.hdfs.authentication.type=KERBEROS
hive.hdfs.trino.principal=hive/hn-fornix-testing-bigdata-1.ghtklab.local@ghtklab.local
hive.hdfs.trino.keytab=/etc/security/keytabs/hive/hive_thrift.keytab
iceberg.register-table-procedure.enabled=true
iceberg.unique-table-location=false
iceberg.security=ALLOW_ALL{code}
- Ranger policy for user run this query:

!image-2024-10-14-18-23-08-645.png!

- all queries run with user which has full access to all resources (ranger 
policy attached) 
{code:java}
-- create iceberg table
CREATE TABLE iceberg.default.test_iceberg
WITH (
    format = 'PARQUET'
) AS
SELECT 1 as id, 10 as users_count
UNION ALL
SELECT 2 as id, 20 as users_count
UNION ALL
SELECT 3 as id, 30 as users_count;

-- update (merge into) iceberg table
UPDATE iceberg.test.test_iceberg SET users_count = 100 WHERE id = 1;
MERGE INTO iceberg.test.test_iceberg AS target
USING (SELECT 1 as id, 100 as users_count) AS source
ON target.id = source.id
WHEN MATCHED THEN
    UPDATE SET users_count = source.users_count + target.users_count
WHEN NOT MATCHED THEN
    INSERT (id, users_count) VALUES (source.id, source.users_count);{code}
 
 
h1. Error details
[4] Query failed (#20241007_104507_26890_cttwz): Access Denied: Cannot update 
columns [users_count] in table iceberg.test.test_iceberg 
io.trino.spi.security.AccessDeniedException: Access Denied: Cannot update 
columns [users_count] in table iceberg.test.test_iceberg
 
h1. Expected behavior
The update (merge into) procedure should be successful.
 
 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to