Uploaded image for project: 'Apache HAWQ'
  1. Apache HAWQ
  2. HAWQ-1332

Can not grant database and schema privileges without table privileges in ranger or ranger plugin service

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not A Problem
    • Affects Version/s: None
    • Fix Version/s: 2.2.0.0-incubating
    • Component/s: Security
    • Labels:
      None

      Description

      We try to grant database connect and schema usage privileges to a non-super user to connect database. We find that if we set policy with database and schema included, but with table excluded, we can not connect database. But if we include table, we can connect to database. We think there may be bug in Ranger Plugin Service or Ranger. Here are steps to reproduce it.

      1. create a new user "usertest1" in database:

      $ psql postgres
      psql (8.2.15)
      Type "help" for help.
      
      postgres=# CREATE USER usertest1;
      NOTICE:  resource queue required -- using default resource queue "pg_default"
      CREATE ROLE
      postgres=#
      

      2. add user "usertest1" in pg_hba.conf

      local all     usertest1             trust
      

      3. set policy with database and schema included, with table excluded

      4. connect database with user "usertest1" but failed with permission denied

      $ psql postgres -U usertest1
      psql: FATAL:  permission denied for database "postgres"
      DETAIL:  User does not have CONNECT privilege.
      

      5. set policy with database, schema and table included

      6. connect database with user "usertest1" and succeed

      $ psql postgres -U usertest1
      psql (8.2.15)
      Type "help" for help.
      
      postgres=#
      

      But if we do not set table as "*", and specify table like "a", we can not access database either.

        Attachments

        1. screenshot-3.png
          181 kB
          Chunling Wang
        2. screenshot-2.png
          185 kB
          Chunling Wang
        3. screenshot-1.png
          185 kB
          Chunling Wang

          Activity

            People

            • Assignee:
              adenisso Alexander Denissov
              Reporter:
              wcl14 Chunling Wang
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: