Presto-Ranger authorization is not working when specific schema is provided in the ranger policy #1076
Comments
|
I think One functionality is missing to check schema access. checkCanSelectFromColumns Where we should check schema access which is missing in presto. |
|
Hey , In case you have picked some WIP commits while building the jar then let know which are those . |
|
@bb786112 can't reproduce ur issue, policy at specific schema level is allowed for me when querying |
|
We have tried 315 & 316 version with ranger integration and we can still re-produce this issue. Steps to Re-produced : Create a presto (Not Hive) policy for Ranger. Now try to access presto using same User and access the same schema which is assigned to same user. Please let me know your steps I will try to do the same, Hopefully I am missing some steps. Thanks for your effort |
|
username is case sensitive |
|
@bb786112 Hey, We are also facing the same issue, Did you solved it?? |
|
@bb786112 @tooptoop4 |
|
@rushidmarne did u solve? |
|
@tooptoop4 : No, It didn't work for me. I tried to create ranger service but unable to do that and found that it was not talking effect in authenticating and authorizing schemas/tables. |
|
@rushidmarne ignore this error, that does not matters. |
|
@bb786112 @shekarrreddy568 I am also facing this issue. Presto version: 332 |
|
@
hey I am facing same issues. is this resolve? |
|
@AvianshKumar
Then create actual policy and add restrictions on catalog, schema, tables, and columns for users. |
|
@iammehrabalam Create two separate policy as follows A policy with access to all catalog, schema, and tables to all users. |
|
There is already a default policy "all - function". Edit it and add update allow condition for {USER}.
|
|
Hi, Any idea if this issue is being looked into? Tried with ranger 2.1.0 and prestosql 347 |
|
Hi. I also met this problem and found a better workaround by making combination of policies. You just need to make every level of policy that gives access to Below example shows how to make a [You need to make policies to give access to information schema] [Now you make an actual policy] Then your policy would look like this: Slack thread: https://trinodb.slack.com/archives/CGB0QHWSW/p1615531251093100?thread_ts=1609915505.164600&cid=CGB0QHWSW |
|
Trino has no Ranger plugin yet, so let me close this issue as not pertaining Trino |
When we create ranger policy for presto and provide catalog as "hive" and schema as "aa",
and table and column as "*"
and if we try to connect presto-cli using below command:
./presto-cli --server https://localhost:7272 --keystore-path /etc/presto.jks --keystore-password password --catalog hive --schema aa --user abc --password
The result is access denied for particular schema for a particular user. But if we provide schema as "*" then its work fine and we are able to execute our select statement.
We also looked into logs and found elements below is only using catalog in case of schema provided from ranger UI. and if we provide schema as "*" then element provide all fields as schema, table, columns.
I think its a bug.
2019-07-03T08:11:03.065Z DEBUG Query-20190703_081102_00005_rugns-358 org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl ==> RangerPolicyEngineImpl.evaluatePolicies(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={catalog=hive; } }} accessType={select} user={abc} userGroups={abc } accessTime={null} clientIPAddress={null} forwardedAddresses={} remoteIPAddress={null} clientType={null} action={null} requestData={null} sessionId={null} resourceMatchingScope={SELF} clusterName={null} context={token:USER={abc} } }, policyType=0)
The text was updated successfully, but these errors were encountered: