apache/submarine

[Submarine Spark Security] "Drop Table" Access Control Bypassed / Ignored

atomeel opened this issue · 9 comments

Hi, I am using Spark 2.4.5 and Ranger 1.2.0, and built the submarine-spark-security plugin on commit 2ff3339 with mvn clean package -Dmaven.javadoc.skip=true -DskipTests -pl :submarine-spark-security -Pspark-2.4 -Pranger-1.2.

Upon creating a user in Ranger with no permissions (or in my case, precisely, I created an user in OpenLDAP, synced it via ranger-usersync, and did not assign any permissions for the new user), it is expected the user will get permission denied error (e.g. SparkAccessControlException) for all SQL operations (e.g. SELECT, INSERT, DROP).

However, the permission denial only works for SELECT & INSERT.
"DROP TABLE" was still allowed despite the user having no permissions at all, and the table was dropped as a result.

I am setting spark.sql.extensions=org.apache.submarine.spark.security.api.RangerSparkSQLExtensionif it matters. hive.server2.authentication is also set to LDAP in /spark/conf/hive-site.xml.

Do you mind if you can create a PR to fix this @atomeel ?

Have you solved the problem? @atomeel @yaooqinn

I have fixed this problem locally,but I found that this model has been removed. Where do I submit the pull request ?

@yaooqinn

Besides the drop table permission problem, there are also the insert and alter table permission problem.

We will maintain this module in apache/incubator-kyuubi later. Currently, we haven't finished the initial setup yet, would you like to help?

OK

does there are any solutions in this case now? I found the same question now

ranger-2.3.0 hive-3.1.3 hdfs-3.3.6