Details
-
Bug
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
0.6.3
-
None
-
None
Description
Reproduce step:
1. Hive agent enable deny policy "{"enableDenyAndExceptionsInPolicies":"true"}" in ranger meta,
2. add policy "database:{USER}, table:* column:* "
3. create user:test database:test in linux and hive
4. add deny policy "database:test, table:, column:, deny: {group:public, action:drop}"
5.beeline connect to hive and "use test"
6. user [test] does not have [USE] privilege on [test]
Cause:
RangerHiveAuthorizer.checkPrivileges
if (hiveOpType == HiveOperationType.SHOWDATABASES) {
RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, hiveOpType.name(), HiveAccessType.USE, context, sessionContext);
requests.add(request);
}
RangerHiveAccessRequest.setHiveAccessType
public void setHiveAccessType(HiveAccessType accessType) {
this.accessType = accessType;
if(accessType == HiveAccessType.USE) {
this.setAccessType(RangerPolicyEngine.ANY_ACCESS);
else if(accessType == HiveAccessType.ADMIN)
else
{ this.setAccessType(accessType.name().toLowerCase()); }}
RangerDefaultPolicyItemEvaluator.matchAccessType
any type would always return true, so my deny policy matched.
RangerDefaultPolicyItemEvaluator.evaluatePolicyItems would try denyEvaluators first.
So resource database matched test , user,group matched test, "matchedPolicyItem.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY"
Finally return deny, same as "show databases", "show databases" would try "SHOWDATABASES" and "use {database}" one by one.