[
https://issues.apache.org/jira/browse/KUDU-3661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17947223#comment-17947223
]
ASF subversion and git services commented on KUDU-3661:
-------------------------------------------------------
Commit 89eaf9dbd9ac728a9b1cc69484e4777035f1b249 in kudu's branch
refs/heads/branch-1.18.x from Abhishek Chennaka
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=89eaf9dbd ]
KUDU-3661 Ranger policy not honored in Kudu
This fixes a long-standing bug in the Ranger authorization provider
where we return prematurely from
RangerAuthzProvider::FillTablePrivilegePB() when the SELECT
action is encountered while iterating through
unordered_set<ActionPB, ActionHas> container, potentially
resulting in missing privileges depending on the position of the
SELECT action in the set. While this behavior depends on the
libc++/libstdc++ implementation, we have observed reports of this
issue on RHEL/CentOS 8 machines.
Thanks to Alexey Serbin for valuable inputs and contributions on
this fix.
Test case source: https://gerrit.cloudera.org/#/c/22809/
Change-Id: I635132154d622eb41e993a0a1a818b21b5af6bb7
Reviewed-on: http://gerrit.cloudera.org:8080/22806
Reviewed-by: Alexey Serbin <ale...@apache.org>
Tested-by: Abhishek Chennaka <achenn...@cloudera.com>
(cherry picked from commit 4e5cd21da441444cf960e8fa53a71042b7be17c9)
Reviewed-on: http://gerrit.cloudera.org:8080/22814
> Update table privileges from Ranger not honored
> -----------------------------------------------
>
> Key: KUDU-3661
> URL: https://issues.apache.org/jira/browse/KUDU-3661
> Project: Kudu
> Issue Type: Bug
> Reporter: Abhishek Chennaka
> Priority: Major
>
> In RHEL/CentOS 8 machines there have been reports where UPDATE permission for
> a user set in Ranger is not honored by Kudu and the clients face the below
> error message from tablet servers when performing UPDATE operations:
> {code:java}
> [kudu-nio-1] ERROR org.apache.kudu.client.Connection - [peer
> 09bdfbf068c742478ddd32a5593e5b36(ccycloud-3.kudu-ranger.root.comops.site:7050)]
> server sent error Not authorized: not authorized to UPDATE [kudu-nio-2]
> ERROR org.apache.kudu.client.Connection - [peer
> a3f00ea341124f08a52264fe4cfd8726(ccycloud-2.kudu-ranger.root.comops.site:7050)]
> server sent error Not authorized: not authorized to UPDATE [kudu-nio-1]
> ERROR org.apache.kudu.client.Connection - [peer
> 09bdfbf068c742478ddd32a5593e5b36(ccycloud-3.kudu-ranger.root.comops.site:7050)]
> server sent error Not authorized: not authorized to UPDATE{code}
> A workaround is to set ALL permissions in Ranger for the specific user.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
