Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
STEPS TO REPRODUCE:
Create table t1 in hive
As user u1, perform invoke grant/revoke commands via hive beeline for table t1
Inspect access audit logs corresponding to grant/revoke operations
User u1 can have admin or USER role on ranger side.
CURRENT BEHAVIOUR:
Logs show that the grant or revoke operation is allowed by default ranger-hive policy 'default database tables columns' (public group has create permissions on resource=[default/*/*])
EXPECTED BEHAVIOUR:
Grant/Revoke operations are admin operations and should be performed by a user having admin role on ranger side. The permissions shouldnot not be granted via ranger policy