Kishor Gollapalliwar created RANGER-5352:
--------------------------------------------
Summary: Resource changes in tag does not work correctly when
delta sync & dedup is enabled
Key: RANGER-5352
URL: https://issues.apache.org/jira/browse/RANGER-5352
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 3.0.0
Reporter: Kishor Gollapalliwar
Assignee: Kishor Gollapalliwar
Resource changes in tags, when multiple resources are associated with single
tag are not reflected when we enable delta sync & dedup features.
Steps:
0. Create 2 unix users (say finuser1 & finuser2) on cluster which will be used
later
1. Create a tag service kg_tag_service and delete all default policy
2. Add kg_tag_service service in kg_hive service
3. Delete all the policies in kg_hive
4. Create a policy with following details
{code:java}
Name: kg_test_hive_pol
Policy Resource:
Hive Database = *,vf include
Hive Table = * include
Hive Column = *
User: finuser2,hive
Allow Conditions :
select, update, create, drop, alter, index, lock, all
{code}
5. Create hive data with finuser2 user
{code:java}
CREATE DATABASE IF NOT EXISTS kg_db1;
CREATE TABLE kg_db1.tbl_org1 (id int, tax int, ssn String);
INSERT INTO kg_db1.tbl_org1 values(1,100,"ssn1");
CREATE TABLE kg_db1.tbl_cp1 as select * from kg_db1.tbl_org1;
CREATE view kg_db1.view_cp1 as select * from kg_db1.tbl_org1;
!q{code}
6. Login to atlas and create a tag kg_atlas_tag1
7. Assign the tag to table tbl_org1 with propagate enabled. Hence kg_atlas_tag1
is automatically associated with tbl_cp1 & view_cp1 as well.
8. Create a new TAG service named kg_test_tag_service1, and associate it with
kg_hive. Then create a tag policy inside kg_test_tag_service1 with following
details
{code:java}
Name: kg_test_tag_pol1
Policy Resource:
TAG=kg_atlas_tag1
User: finuser1
Allow Conditions:
hive:select, hive:update, hive:create, hive:drop, hive:alter, hive:index,
hive:all, hive:tempudfadmin, hive:lock
{code}
9. Run following hive command using creds of finuser1
{code:java}
SELECT id FROM kg_db1.tbl_org1;
SELECT id FROM kg_db1.tbl_cp1;
SELECT id FROM kg_db1.view_cp1;
!q{code}
10. Now run following hive commands using creds of finuser2
{code:java}
DROP TABLE IF EXISTS kg_db1.tbl_org1;
CREATE TABLE kg_db1.tbl_org1 (id int, tax int, ssn String);
!q{code}
11.Now again run following command using finuser1, this command/ action should
be denied.
{code:java}
SELECT id FROM kg_db1.tbl_org1;{code}
12. Now run the following commands, these must be allowed by tag policy (named,
kg_test_tag_pol1), but actually it's denied.
{code:java}
SELECT id FROM kg_db1.tbl_cp1;
SELECT id FROM kg_db1.view_cp1;
!q{code}
Fix: when a resource is remove from a tag, it should remove the tag from delta
only when there are no other resources associated with them. Basically the tag
delta response json should keep including the tag information till there is
at-least 1 resource associated with it.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
