search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.35k stars 2.98k forks source link

Can't create Schemas in Catalogs when using Apache Ranger #16085

Closed dcardellino closed 1 year ago

dcardellino commented 1 year ago

We currently use Apache Ranger for policy management with Trino. We migrated our policies and our catalogs from Presto to Trino. We currently facing some issues with creating Schemas in our catalogs.

When we try to create a schema in eg. hive we geht the following error:

trino --server https://trino.example.com --user testuser --catalog hive --password --debug                                                                                                                                                                                                                                                                                                                                                                                                                                                        
Password:
trino> CREATE SCHEMA test;
Query 20230213_094644_00081_amv3v failed: Access Denied: Cannot create schema hive.test
io.trino.spi.security.AccessDeniedException: Access Denied: Cannot create schema hive.test
    at io.trino.spi.security.AccessDeniedException.denyCreateSchema(AccessDeniedException.java:128)
    at io.trino.spi.security.AccessDeniedException.denyCreateSchema(AccessDeniedException.java:123)
    at io.trino.spi.security.SystemAccessControl.checkCanCreateSchema(SystemAccessControl.java:264)
    at io.trino.security.AccessControlManager.lambda$checkCanCreateSchema$9(AccessControlManager.java:313)
    at io.trino.security.AccessControlManager.systemAuthorizationCheck(AccessControlManager.java:1317)
    at io.trino.security.AccessControlManager.checkCanCreateSchema(AccessControlManager.java:313)
    at io.trino.security.ForwardingAccessControl.checkCanCreateSchema(ForwardingAccessControl.java:113)
    at io.trino.execution.CreateSchemaTask.internalExecute(CreateSchemaTask.java:118)
    at io.trino.execution.CreateSchemaTask.execute(CreateSchemaTask.java:83)
    at io.trino.execution.CreateSchemaTask.execute(CreateSchemaTask.java:55)
    at io.trino.execution.DataDefinitionExecution.start(DataDefinitionExecution.java:145)
    at io.trino.execution.SqlQueryManager.createQuery(SqlQueryManager.java:249)
    at io.trino.dispatcher.LocalDispatchQuery.lambda$startExecution$7(LocalDispatchQuery.java:143)
    at io.trino.$gen.Trino_405____20230213_085649_2.run(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base/java.lang.Thread.run(Thread.java:833)

It doesn't matter if we try to create a schema in hive or in a postgresql catalog.

I saw there was an issue before https://github.com/trinodb/trino/issues/6670 but this was closed. Is this already fixed or do we still have this bug?

aakashnand commented 1 year ago

This commit to SystemAccessControl.java broke the ranger plugin which is why it is not working. For time being please use the trino version which is older than 402. I will fix the trino-ranger-plugin later

https://github.com/trinodb/trino/commit/0fac0878f63d841cbcad8c8f1073e34f137d54bd