Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3193

create view as select is denied if the view and select table are in different schemas

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Blocker
    • Resolution: Unresolved
    • 2.1.0
    • None
    • plugins
    • None
    • Ranger 2.1.0, prestosql 350

    Description

      create view as select is denied if the view and table are in different schema's(db's), though the identity has valid privilege to create view in view owned schema.

      For example :-

      CREATE VIEW db2.view1 AS SELECT col1,col2,col3 from db1.tbl1;

      In the above statement,
      Presto plugin validated two major permission on the Identity.

      1. check on identity to create view under SCHEMA db2 is valid in the method checkCanCreateView
      2. check the identity to select columns col1,col2,col3 on the table tbl1 under schema db1 in the method checkCanCreateViewWithSelectFromColumns

      Whereas in Ranger Presto Plugin, In the method checkCanCreateViewWithSelectFromColumns check is done on the identity to create view on schema db1 instead of check on select columns from table.

      When i check the code RangerSystemAccessControl.java

        /**
   * This check equals the check for checkCanCreateView
   */
  @Override
  public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
    try {
      checkCanCreateView(context, table);
    } catch (AccessDeniedException ade) {
      LOG.debug("RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns(" + table.getSchemaTableName().getTableName() + ") denied");
      AccessDeniedException.denyCreateViewWithSelect(table.getSchemaTableName().getTableName(), context.getIdentity());
    }
  }

      Ranger checks the identity to create view on selected table schema.

      Due to this, In the below two scenarios identity is checked incorrectly.

      Scenario 1 :-
      Identity has the privilege to create view in view owned schema and identity doesn't have privilege to create view in table owned schema. In this scenario, identity will be denied for the create view since the create view check is on both view and table owned schema.

      Scenario 2 :-
      identity has the privilege to select and create view, but doesn't have privilege to select table. In this scenario, identity still can create view and select view though identity doesn't have privilege to select table.

      Please help to check this as this is latest Ranger versions.

      Attachments

        Activity

          People

            sneha_ss sneha_surjuse
            harish kumar Harish Kumar M
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 10m
                10m