[Submarine Spark Security] "Drop Table" Access Control Bypassed / Ignored
atomeel opened this issue · 9 comments
Hi, I am using Spark 2.4.5 and Ranger 1.2.0, and built the submarine-spark-security plugin on commit 2ff3339 with mvn clean package -Dmaven.javadoc.skip=true -DskipTests -pl :submarine-spark-security -Pspark-2.4 -Pranger-1.2
.
Upon creating a user in Ranger with no permissions (or in my case, precisely, I created an user in OpenLDAP, synced it via ranger-usersync, and did not assign any permissions for the new user), it is expected the user will get permission denied error (e.g. SparkAccessControlException) for all SQL operations (e.g. SELECT, INSERT, DROP).
However, the permission denial only works for SELECT & INSERT.
"DROP TABLE" was still allowed despite the user having no permissions at all, and the table was dropped as a result.
I am setting spark.sql.extensions=org.apache.submarine.spark.security.api.RangerSparkSQLExtension
if it matters. hive.server2.authentication
is also set to LDAP
in /spark/conf/hive-site.xml.
I have fixed this problem locally,but I found that this model has been removed. Where do I submit the pull request ?
Besides the drop table permission problem, there are also the insert and alter table permission problem.
We will maintain this module in apache/incubator-kyuubi later. Currently, we haven't finished the initial setup yet, would you like to help?
OK
does there are any solutions in this case now? I found the same question now
ranger-2.3.0 hive-3.1.3 hdfs-3.3.6