[jira] [Updated] (HAWQ-1279) Force to recompute namespace_path when enable_ranger
[ https://issues.apache.org/jira/browse/HAWQ-1279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hongxu Ma updated HAWQ-1279: Description: namespace_path is cached in each psql session and the cache invalidation is triggered by Grant/Revoke SQL. When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a ack-check request sending. Example: {code} // create table t(i int); => failed [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}] // grant usage and create permissions to public schema in ranger and try again => failed again [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] // why not send a request for USAGE?? {code} was: namespace_path is cached in each psql session and it the cache invalidation is triggered by Grant/Revoke SQL. When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a ack-check request sending. Example: {code} // create table t(i int); => failed [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}] // grant usage and create permissions to public schema in ranger and try again => failed again [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] // why not send a request for USAGE?? {code} > Force to recompute namespace_path when enable_ranger > > > Key: HAWQ-1279 > URL: https://issues.apache.org/jira/browse/HAWQ-1279 > Project: Apache HAWQ > Issue Type: Sub-task > Components: PXF, Security >Reporter: Hongxu Ma >Assignee: Hongxu Ma > Fix For: backlog > > > namespace_path is cached in each psql session and the cache invalidation is > triggered by Grant/Revoke SQL. > When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a > ack-check request sending. > Example: > {code} > // create table t(i int); => failed > [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] > [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] > [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}] > // grant usage and create permissions to public schema in ranger and try > again => failed again > [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] > [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] > // why not send a request for USAGE?? > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HAWQ-1279) Force to recompute namespace_path when enable_ranger
[ https://issues.apache.org/jira/browse/HAWQ-1279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hongxu Ma updated HAWQ-1279: Description: namespace_path is cached in each psql session and it the cache invalidation is triggered by Grant/Revoke SQL. When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a ack-check request sending. Example: {code} // create table t(i int); => failed [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}] // grant usage and create permissions to public schema in ranger and try again => failed again [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] // why not send a request for USAGE?? {code} was: namespace_path is cached in each psql session and it the cache invalidation is triggered by Grant/Revoke SQL. When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a ack-check request sending. Example: ``` // create table t(i int); => failed [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}] // grant usage and create permissions to public schema in ranger and try again => failed again [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] // why not send a request for USAGE?? ``` > Force to recompute namespace_path when enable_ranger > > > Key: HAWQ-1279 > URL: https://issues.apache.org/jira/browse/HAWQ-1279 > Project: Apache HAWQ > Issue Type: Sub-task > Components: PXF, Security >Reporter: Hongxu Ma >Assignee: Hongxu Ma > Fix For: backlog > > > namespace_path is cached in each psql session and it the cache invalidation > is triggered by Grant/Revoke SQL. > When enable_ranger, Grant/Revoke SQL is no longer use, so the cache prevent a > ack-check request sending. > Example: > {code} > // create table t(i int); => failed > [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] > [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] > [{""resource"":{""database"":""postgres"",""schema"":""public""},""privileges"":[""usage""],""allowed"":false}] > // grant usage and create permissions to public schema in ranger and try > again => failed again > [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] > [{""resource"":{""database"":""postgres"",""schema"":""pg_catalog""},""privileges"":[""usage""],""allowed"":true}] > // why not send a request for USAGE?? > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)