[
https://issues.apache.org/jira/browse/HAWQ-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15870890#comment-15870890
]
Alexander Denissov commented on HAWQ-1332:
------------------------------------------
This is not a bug. Any policies that are applicable to databases must have
schema and table resources set to "*" value and be included. If they are set to
specific values, these values must be provided when request for isAccessAllowed
is made to RPS and HAWQ only sends the database name with such requests.
We also suspect that using "exclude" flag essentially excludes given resource
from having the policy applied to it. It probably does not exclude the given
resource level from resource definition, as you expected. But this statement
needs further researching.
> Can not grant database and schema privileges without table privileges in
> ranger or ranger plugin service
> --------------------------------------------------------------------------------------------------------
>
> Key: HAWQ-1332
> URL: https://issues.apache.org/jira/browse/HAWQ-1332
> Project: Apache HAWQ
> Issue Type: Bug
> Components: Security
> Reporter: Chunling Wang
> Assignee: Alexander Denissov
> Attachments: screenshot-1.png, screenshot-2.png, screenshot-3.png
>
>
> We try to grant database connect and schema usage privileges to a non-super
> user to connect database. We find that if we set policy with database and
> schema included, but with table excluded, we can not connect database. But if
> we include table, we can connect to database. We think there may be bug in
> Ranger Plugin Service or Ranger. Here are steps to reproduce it.
> 1. create a new user "usertest1" in database:
> {code}
> $ psql postgres
> psql (8.2.15)
> Type "help" for help.
> postgres=# CREATE USER usertest1;
> NOTICE: resource queue required -- using default resource queue "pg_default"
> CREATE ROLE
> postgres=#
> {code}
> 2. add user "usertest1" in pg_hba.conf
> {code}
> local all usertest1 trust
> {code}
> 3. set policy with database and schema included, with table excluded
> !screenshot-1.png|width=800,height=400!
> 4. connect database with user "usertest1" but failed with permission denied
> {code}
> $ psql postgres -U usertest1
> psql: FATAL: permission denied for database "postgres"
> DETAIL: User does not have CONNECT privilege.
> {code}
> 5. set policy with database, schema and table included
> !screenshot-2.png|width=800,height=400!
> 6. connect database with user "usertest1" and succeed
> {code}
> $ psql postgres -U usertest1
> psql (8.2.15)
> Type "help" for help.
> postgres=#
> {code}
> But if we do not set table as "*", and specify table like "a", we can not
> access database either.
> !screenshot-3.png|width=800,height=400!
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
