[
https://issues.apache.org/jira/browse/RANGER-5352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-5352:
-------------------------------------
Fix Version/s: 2.8.0
> Resource changes in tag does not work correctly when delta sync & dedup is
> enabled
> ----------------------------------------------------------------------------------
>
> Key: RANGER-5352
> URL: https://issues.apache.org/jira/browse/RANGER-5352
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Kishor Gollapalliwar
> Assignee: Kishor Gollapalliwar
> Priority: Major
> Fix For: 3.0.0, 2.8.0
>
>
> Resource changes in tags, when multiple resources are associated with single
> tag are not reflected when we enable delta sync & dedup features.
> Steps:
> 0. Create 2 unix users (say finuser1 & finuser2) on cluster which will be
> used later
> 1. Create a tag service kg_tag_service and delete all default policy
> 2. Add kg_tag_service service in kg_hive service
> 3. Delete all the policies in kg_hive
> 4. Create a policy with following details
> {code:java}
> Name: kg_test_hive_pol
> Policy Resource:
> Hive Database = *,vf include
> Hive Table = * include
> Hive Column = *
> User: finuser2,hive
> Allow Conditions :
> select, update, create, drop, alter, index, lock, all
> {code}
> 5. Create hive data with finuser2 user
> {code:java}
> CREATE DATABASE IF NOT EXISTS kg_db1;
> CREATE TABLE kg_db1.tbl_org1 (id int, tax int, ssn String);
> INSERT INTO kg_db1.tbl_org1 values(1,100,"ssn1");
> CREATE TABLE kg_db1.tbl_cp1 as select * from kg_db1.tbl_org1;
> CREATE view kg_db1.view_cp1 as select * from kg_db1.tbl_org1;
> !q{code}
>
> 6. Login to atlas and create a tag kg_atlas_tag1
> 7. Assign the tag to table tbl_org1 with propagate enabled. Hence
> kg_atlas_tag1 is automatically associated with tbl_cp1 & view_cp1 as well.
> 8. Create a new TAG service named kg_test_tag_service1, and associate it with
> kg_hive. Then create a tag policy inside kg_test_tag_service1 with following
> details
> {code:java}
> Name: kg_test_tag_pol1
> Policy Resource:
> TAG=kg_atlas_tag1
> User: finuser1
> Allow Conditions:
> hive:select, hive:update, hive:create, hive:drop, hive:alter, hive:index,
> hive:all, hive:tempudfadmin, hive:lock
> {code}
> 9. Run following hive command using creds of finuser1
> {code:java}
> SELECT id FROM kg_db1.tbl_org1;
> SELECT id FROM kg_db1.tbl_cp1;
> SELECT id FROM kg_db1.view_cp1;
> !q{code}
> 10. Now run following hive commands using creds of finuser2
> {code:java}
> DROP TABLE IF EXISTS kg_db1.tbl_org1;
> CREATE TABLE kg_db1.tbl_org1 (id int, tax int, ssn String);
> !q{code}
> 11.Now again run following command using finuser1, this command/ action
> should be denied.
> {code:java}
> SELECT id FROM kg_db1.tbl_org1;{code}
> 12. Now run the following commands, these must be allowed by tag policy
> (named, kg_test_tag_pol1), but actually it's denied.
> {code:java}
> SELECT id FROM kg_db1.tbl_cp1;
> SELECT id FROM kg_db1.view_cp1;
> !q{code}
>
> Fix: when a resource is remove from a tag, it should remove the tag from
> delta only when there are no other resources associated with them. Basically
> the tag delta response json should keep including the tag information till
> there is at-least 1 resource associated with it.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
