Hive Ranger security plugin #15519
Hive Ranger security plugin #15519
Conversation
|
resolves #8980 |
|
@nezihyigitbasi can you please help prioritize this? many users are interested in the plugin. Who'd be best to review? |
...e/src/main/java/com/facebook/presto/hive/security/ranger/RangerBasedAccessControlConfig.java
Outdated
Show resolved
Hide resolved
...e/src/main/java/com/facebook/presto/hive/security/ranger/RangerBasedAccessControlConfig.java
Outdated
Show resolved
Hide resolved
...e/src/main/java/com/facebook/presto/hive/security/ranger/RangerBasedAccessControlConfig.java
Outdated
Show resolved
Hide resolved
presto-hive/src/main/java/com/facebook/presto/hive/security/ranger/VXUser.java
Outdated
Show resolved
Hide resolved
presto-hive/src/main/java/com/facebook/presto/hive/security/ranger/VXUser.java
Show resolved
Hide resolved
| { | ||
| SchemaTableName schemaTableName = new SchemaTableName(schemaName, schemaName); | ||
| if (!checkAccess(identity, schemaTableName, null, HiveAccessType.DROP)) { | ||
| denyCreateSchema(schemaTableName.toString(), format("Access denied - User [ $s ] does not have is not have [DROP] " + |
There was a problem hiding this comment.
for the schema name argument - you should just say schemaName instead of schemeTableName.toString()
| */ | ||
| public void checkCanDropSchema(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, String schemaName) | ||
| { | ||
| SchemaTableName schemaTableName = new SchemaTableName(schemaName, schemaName); |
There was a problem hiding this comment.
Lets assume that the schema in question here is s1 - I don't have previous experience with Ranger - what we want to check here is that if the user has permission to drop schema s1, but given this implementation - how will it differentiate between what we want and the permission to drop table s1 in schema s1
There was a problem hiding this comment.
This implementation is keeping authorization checks similar to Hive since it is verifying against policies set for Hive service.
Ranger authorization checks are validated and inherited from schema, table & column.
Ranger policy can define if accesses are across all tables in the schema or specific table. The policy can allow/restrict user or group for drop access across which will be leveraged for schema and then more specific & restrictive policies for a table can override that behavior.
Policies are evaluated in a specific order to ensure predictable results.
More details here - https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+excludes+in+Ranger+policies
TestRangerBasedAccessControl has concrete tests around this.
| denyCreateTable(tableName.toString(), format("Access denied - User [ $s ] does not have is not have [CREATE] " + | ||
| "privilege on [ %s ] ", identity.getUser(), tableName.getSchemaName())); |
There was a problem hiding this comment.
Fix extraInfo as per suggestion above and please do the same for all instances below as well
| } | ||
| } | ||
| if (deniedColumns.size() > 0) { | ||
| denySelectColumns(tableName.toString(), deniedColumns, format("Access denied - User [ $s ] does not have is not have [ALTER] " + |
There was a problem hiding this comment.
lets edit the error message to be in sync with what I stated above and also mention the columns that the user does not have access to
There was a problem hiding this comment.
Changing tableName.toString() to tableName.getTableName() as not all callback methods provides string schemaName arg but provides SchemaTableName wrapper class
| @Override | ||
| public void checkCanCreateView(ConnectorTransactionHandle transactionHandle, ConnectorIdentity identity, AccessControlContext context, SchemaTableName viewName) | ||
| { | ||
| if (!checkAccess(identity, null, null, HiveAccessType.CREATE)) { |
There was a problem hiding this comment.
should we be passing the schema to check for permission within that ?
There was a problem hiding this comment.
For underline table and column access checks beyond the view individual access callback are triggered to verify.
|
@ashishtadose - in addition to the code comments above - can you also comment how did you test this PR other than the unittests added in this PR - did you get a chance to run it against an actual Ranger instance and ensure that the code works. Also, can you update the PR description with the appropriate release notes. https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines has guidelines on how to format your release notes. |
|
@mayankgarg1990 thanks for the review. Will accommodate review comments and update the PR. |
|
Good job @ashishtadose. |
ashishtadose
force-pushed
the
hive-ranger-plugin
branch
from
2a8a356 to
bc5814c
Compare
|
@sajjoseph You may be interested in the Ranger + PrestoDB meetup coming up. https://www.meetup.com/prestodb/events/275832071/ |
|
will it work for Column masking, row filtering and tag support in Ranger 2.1? |
|
@mayankgarg1990 Can you please review? - there is very high interest in the community (via github issues and slack) for this plugin and we'd like to get it merged in as soon as possible. |
|
@mayankgarg1990 Do you think you can review this PR? |
|
|
ashishtadose
force-pushed
the
hive-ranger-plugin
branch
from
4dc1363 to
bc5814c
Compare
ashishtadose
force-pushed
the
hive-ranger-plugin
branch
from
33546cd to
cd48fd9
Compare
|
Have rebased this PR and also updated it with the below features.
|
|
@mayankgarg1990 can you help in reviewing this. Thanks |
|
Hello, Any updates on it? Great and important feature |
|
Hello People, Do you have any updates on this PR? This feature is very important for us |
|
@mayankgarg1990 this is coming up more. Could you please help up to review this PR? |
|
Hi @tdcmeehan, Do you think we can get some help here, targetting to get this PR merged by PrestoCon. Thanks! |
|
Lets bring this onto master and then I can review this PR |
|
@mayankgarg1990 can the merge process be expedited? |
|
@Ayan07 - the PR needs to be reviewed and is currently based on a 5 month old base. I am willing to prioritize this PR review - but it will be a combination of PR review and response to the review comments. Before I start to review I want to ensure that the PR is on the latest master so that reviewing and testing it is easy |
|
@mayankgarg1990 agree this PR needs to be updated with base and would be good to be enhanced with audit support. |
Sure @ashishtadose I can raise a new PR along with new changes which are not there in this. |
@mayankgarg1990 I have raised a new PR along with new changes #16999 . Please review that. |
|
Refer #16999 for further work. |
Test plan - (Please fill in how you tested your changes)
Please make sure your submission complies with our Development, Formatting, and Commit Message guidelines. Don't forget to follow our attribution guidelines for any code copied from other projects.
Fill in the release notes towards the bottom of the PR description.
See Release Notes Guidelines for details.
If release note is NOT required, use: