Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Show only denied columns in Ranger error message #24873

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Show only denied columns in Ranger error message #24873

wants to merge 1 commit into from

Conversation

takezoe
Copy link
Member

@takezoe takezoe commented Feb 1, 2025
edited by ebyhr
Loading

Description

When column access is denied, the current error message contains all requested columns:

Cannot select from columns [id, time] in table or view tbl1

With this change, the error message will only contains denied columns:

Cannot select from columns [id] in table or view tbl1

Release notes

(x) This is not user-visible or is docs only, and no release notes are required.

@cla-bot cla-bot bot added the cla-signed label Feb 1, 2025
@ebyhr ebyhr requested review from kokosing and mneethiraj February 3, 2025 00:04
@mneethiraj
Copy link
Contributor

To avoid information disclosure, the error meesage should be a generic one - like Cannot select from table tbl1 i.e. reveling names of requested columns is not recommended.

@takezoe - I suggest error message from Ranger authorizer to be consistent with FileBasedSystemAccessControl, which simply calls denySelectTable(tableName), with no column names.

@takezoe
Copy link
Member Author

takezoe commented Feb 3, 2025

In that sense, denySelectColumns() should be deprecated?

kokosing
kokosing reviewed Feb 3, 2025
View reviewed changes
plugin/trino-ranger/src/test/java/io/trino/plugin/ranger/TestRangerSystemAccessControl.java
@@ -224,6 +225,10 @@ void testColumnOperations()
assertThatThrownBy(() -> accessControlManager.checkCanShowColumns(context(BOB), TABLE_ALICE_SCH1_TBL1)).isInstanceOf(AccessDeniedException.class);
assertThatThrownBy(() -> accessControlManager.checkCanSelectFromColumns(context(BOB), TABLE_ALICE_SCH1_TBL1, ImmutableSet.of())).isInstanceOf(AccessDeniedException.class);
assertThatThrownBy(() -> accessControlManager.checkCanUpdateTableColumns(context(BOB), TABLE_ALICE_SCH1_TBL1, Collections.emptySet())).isInstanceOf(AccessDeniedException.class);

assertThatThrownBy(() -> accessControlManager.checkCanSelectFromColumns(context(BOB), TABLE_USER_SCH1_TBL1, ImmutableSet.of("id", "time")))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you also add a test with an empty set, when entire table is not allowed to query?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kokosing kokosing kokosing left review comments

@wendigo wendigo wendigo approved these changes

@mneethiraj mneethiraj Awaiting requested review from mneethiraj

Assignees
No one assigned
Labels
cla-signed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@takezoe @mneethiraj @wendigo @kokosing