Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger Hive row level filter policy prevent INSERT, is it a bug?

Labels:
avatar
author-rank qiwang
Master Collaborator

Created on ‎12-09-2016 06:11 PM - edited ‎08-18-2019 06:21 AM

working on a demo for client and noticed an interesting behavior of row level filter. Not sure it is the desired behavior.

I have a row level filter on one of my table "rowfilter". Once I enable this policy, it will block INSERT to this table by hive user. hive user has all permission for all hive table/UDF, so this is quite unexpected.

error message read "HiveAccessControlException Permission denied: user [hive] does not have [UPDATE] privilege on [hr/rowfilter] (state=42000,code=40000)"

10200-screen-shot-2016-12-09-at-10825-pm.png

10211-screen-shot-2016-12-09-at-10839-pm.png

The only way I could insert to this table is by temporarily disable the row level filter. This really looks like a bug to me..

5,423 Views
0
1 ACCEPTED SOLUTION

avatar
author-rank qiwang
Master Collaborator

Created on ‎12-09-2016 08:27 PM - edited ‎08-18-2019 06:21 AM

Did some more test and an interesting finding. The row based policy was created to target public group and that seems to be causing the problem.

10213-screen-shot-2016-12-09-at-32351-pm.png

This will block the insert for hive user.

But once the public group is removed, the hive user could works fine.

10214-screen-shot-2016-12-09-at-32630-pm.png

An interesting question is: does the row level filter limit the users to only select permission?

View solution in original post

4,868 Views
0
9 REPLIES 9

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎12-09-2016 08:13 PM

can you show use the policy where you provide hive user update permission on table

4,868 Views

avatar
author-rank qiwang
Master Collaborator

Created on ‎12-09-2016 08:17 PM - edited ‎08-18-2019 06:21 AM

It is part of the default policy created by Ranger. hive user has all permission on everything

10212-screen-shot-2016-12-09-at-31553-pm.png

4,868 Views
0 Kudos

avatar
author-rank qiwang
Master Collaborator

Created on ‎12-09-2016 08:27 PM - edited ‎08-18-2019 06:21 AM

Did some more test and an interesting finding. The row based policy was created to target public group and that seems to be causing the problem.

10213-screen-shot-2016-12-09-at-32351-pm.png

This will block the insert for hive user.

But once the public group is removed, the hive user could works fine.

10214-screen-shot-2016-12-09-at-32630-pm.png

An interesting question is: does the row level filter limit the users to only select permission?

4,869 Views
0

avatar
author-rank mneethiraj author-rank
Rising Star

Created ‎12-18-2016 07:59 PM

if row-level filter/column-masking is enabled on a table for a user, that user will not be allowed to perform any update operations (like insert, delete) on the table. This is to prevent such users from updating rows/columns that they don't have permissions for.

4,868 Views

avatar
author-rank qiwang
Master Collaborator

Created ‎12-22-2016 04:19 PM

@Madhan Neethiraj

That makes sense. Thanks for you answer

4,868 Views
0 Kudos

avatar
author-rank pagrawa author-rank
Contributor

Created on ‎12-12-2016 03:05 AM - edited ‎08-18-2019 06:21 AM

Which version of Ranger are you using ?

Row level filter policy supports only 'select' permission

10232-screen-shot-2016-12-12-at-82728-am.png

10233-screen-shot-2016-12-12-at-82856-am.png

4,868 Views
0 Kudos

avatar
author-rank qiwang
Master Collaborator

Created ‎12-12-2016 03:56 PM

I know row level filter only has select. But does it also remove the permission from other policy? Like hive users universal access from the base policy.

4,868 Views
0 Kudos

avatar
author-rank shigeru_takehar
Expert Contributor

Created ‎04-21-2017 03:27 PM

I could re-create the same issue on hdp 2.5 sandbox. it looks to me a bug.

4,868 Views
0 Kudos

avatar
author-rank aleekha
Rising Star

Created ‎04-28-2017 06:29 PM

Hi Qi Wang: To your question "I know row level filter only has select. But does it also remove the permission from other policy? Like hive users universal access from the base policy.”

--> In this case your user 'hive' has all permissions on all tables through the default access based policy. Also there is a row level policy for user 'hive’ on 'rowfilter' table. We have only ‘select’ privilege to choose in row level policy, what this means is that you are giving user ‘hive’ only ‘select' privilege on the table and that too with restrictions on what he can view on doing ‘select’.

Why this is done? If you as a user are not allowed to even see the full contents of a particular table, you cannot be allowed to perform operations on that table.

When Hive request comes in from a user, all row level policies are scanned for that user. If a row level policy found for the user, the access privileges are scanned on that resource by going through access policies. (An access policy needs to grant the user access to that resource, row filer policy does not grant access). Now since update is not granted by masking policy, the operation is denied. The request does not even reach access policy.

Hope this helps.

4,868 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements