Hive Ranger security plugin

[ashishtadose]

Test plan - (Please fill in how you tested your changes)

Please make sure your submission complies with our Development, Formatting, and Commit Message guidelines. Don't forget to follow our attribution guidelines for any code copied from other projects.

Fill in the release notes towards the bottom of the PR description.
See Release Notes Guidelines for details.

== RELEASE NOTES ==

General Changes
* ...
* ...

Hive Changes
* ...
* ...

If release note is NOT required, use:

== NO RELEASE NOTE ==

[ashishtadose]

resolves #8980

[dborkar]

@nezihyigitbasi can you please help prioritize this? many users are interested in the plugin. Who'd be best to review?

[mayankgarg1990]

Took a first pass mainly on RangerBasedAccessControl and RangerAuthorizer class

[mayankgarg1990]

for the schema name argument - you should just say schemaName instead of schemeTableName.toString()

[ashishtadose]

ok

[mayankgarg1990]

Lets assume that the schema in question here is s1 - I don't have previous experience with Ranger - what we want to check here is that if the user has permission to drop schema s1, but given this implementation - how will it differentiate between what we want and the permission to drop table s1 in schema s1

[ashishtadose]

This implementation is keeping authorization checks similar to Hive since it is verifying against policies set for Hive service.
Ranger authorization checks are validated and inherited from schema, table & column.
Ranger policy can define if accesses are across all tables in the schema or specific table. The policy can allow/restrict user or group for drop access across which will be leveraged for schema and then more specific & restrictive policies for a table can override that behavior.
Policies are evaluated in a specific order to ensure predictable results.
More details here - https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies
TestRangerBasedAccessControl has concrete tests around this.

[mayankgarg1990]

Fix extraInfo as per suggestion above and please do the same for all instances below as well

[mayankgarg1990]

lets edit the error message to be in sync with what I stated above and also mention the columns that the user does not have access to

[ashishtadose]

Changing tableName.toString() to tableName.getTableName() as not all callback methods provides string schemaName arg but provides SchemaTableName wrapper class

[mayankgarg1990]

should we be passing the schema to check for permission within that ?

[ashishtadose]

For underline table and column access checks beyond the view individual access callback are triggered to verify.

[mayankgarg1990]

@ashishtadose - in addition to the code comments above - can you also comment how did you test this PR other than the unittests added in this PR - did you get a chance to run it against an actual Ranger instance and ensure that the code works.

Also, can you update the PR description with the appropriate release notes. https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines has guidelines on how to format your release notes.

[ashishtadose]

@mayankgarg1990 thanks for the review.
This plugin's functional verification has been carried with a distributed 2.6.x hadoop cluster with Ranger 0.7.x.
I'm planning to certify this for ranger 1.x as well with this PR.

Will accommodate review comments and update the PR.

[sajjoseph]

Good job @ashishtadose.
Multiple organizations have Hadoop 3.x with Ranger 2.x installations and so it will be great if you can get this plugin working with those combinations. Column masking, row filtering and tag support are essential as well.

[dborkar]

@sajjoseph You may be interested in the Ranger + PrestoDB meetup coming up. https://www.meetup.com/prestodb/events/275832071/

[discipleforteen]

will it work for Column masking, row filtering and tag support in Ranger 2.1?

[dborkar]

@mayankgarg1990 Can you please review? - there is very high interest in the community (via github issues and slack) for this plugin and we'd like to get it merged in as soon as possible.

[rohanpednekar]

@mayankgarg1990 Do you think you can review this PR?
@aweisberg and @tdcmeehan, requesting your help to get this prioritized for review.

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Ashish (bc5814c99a2ce66d9567d2bc00ba1775e4440bd7)

[ashishtadose]

Have rebased this PR and also updated it with the below features.

• Support for Ranger 2.1.x
• Integration with SSL secured Ranger services
• Ranger role-based access authorization.

[ashishtadose]

@mayankgarg1990 can you help in reviewing this. Thanks

[rubenssoto]

Hello,

Any updates on it? Great and important feature

@ashishtadose
@rohanpednekar

[rubenssoto]

Hello People,

Do you have any updates on this PR? This feature is very important for us

@rohanpednekar

[rohanpednekar]

@mayankgarg1990 this is coming up more. Could you please help up to review this PR?

CC @jbapple @aweisberg

[rohanpednekar]

Hi @tdcmeehan, Do you think we can get some help here, targetting to get this PR merged by PrestoCon. Thanks!

[mayankgarg1990]

Lets bring this onto master and then I can review this PR

[Ayan07]

@mayankgarg1990 can the merge process be expedited?

[mayankgarg1990]

@Ayan07 - the PR needs to be reviewed and is currently based on a 5 month old base. I am willing to prioritize this PR review - but it will be a combination of PR review and response to the review comments. Before I start to review I want to ensure that the PR is on the latest master so that reviewing and testing it is easy

[ashishtadose]

@mayankgarg1990 agree this PR needs to be updated with base and would be good to be enhanced with audit support.
I won't be able to spend more time on this anytime soon, @agrawalreetika would you be able to take this up and maybe raise a separate PR for this.

[agrawalreetika]

@mayankgarg1990 agree this PR needs to be updated with base and would be good to be enhanced with audit support. I won't be able to spend more time on this anytime soon, @agrawalreetika would you be able to take this up and maybe raise a separate PR for this.

Sure @ashishtadose I can raise a new PR along with new changes which are not there in this.

[agrawalreetika]

Lets bring this onto master and then I can review this PR

@mayankgarg1990 I have raised a new PR along with new changes #16999 . Please review that.

[rohanpednekar]

Refer #16999 for further work.