search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.32k stars 2.97k forks source link

Trino & Ranger Authorization - Schema Creation #20500

Closed semeteycoskun closed 8 months ago

semeteycoskun commented 8 months ago

Hi,

I'm running Trino in docker (trinodb/trino:423) and this environment is integrated to Apache Ranger (2.4.0) for authz policies. Every permission seems OK but "Create Schema" in a catalog. I've tried various configurations; specifying catalog names with "*" or exact name of the catalog which I'm trying to create schema in it but every time same error.

Cloud Beaver Exception: io.cloudbeaver.DBWebException: Error executing query: SQL Error [4]: Query failed (#20240129_203356_00589_c9776): Access Denied: Cannot create schema delta.trino_poc at io.cloudbeaver.service.sql.WebSQLProcessor.processQuery(WebSQLProcessor.java:264) at io.cloudbeaver.service.sql.impl.WebServiceSQL$1.run(WebServiceSQL.java:377) at io.cloudbeaver.model.session.WebSession$1.run(WebSession.java:692) at org.jkiss.dbeaver.model.runtime.AbstractJob.run(AbstractJob.java:105) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63) Caused by: org.jkiss.dbeaver.model.sql.DBSQLException: SQL Error [4]: Query failed (#20240129_203356_00589_c9776): Access Denied: Cannot create schema delta.trino_poc at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:133) at io.cloudbeaver.service.sql.WebSQLProcessor.lambda$1(WebSQLProcessor.java:250) at org.jkiss.dbeaver.model.exec.DBExecUtils.tryExecuteRecover(DBExecUtils.java:190) at io.cloudbeaver.service.sql.WebSQLProcessor.processQuery(WebSQLProcessor.java:207) ... 4 more Caused by: java.sql.SQLException: Query failed (#20240129_203356_00589_c9776): Access Denied: Cannot create schema delta.trino_poc at io.trino.jdbc.AbstractTrinoResultSet.resultsException(AbstractTrinoResultSet.java:1937) at io.trino.jdbc.TrinoResultSet.getColumns(TrinoResultSet.java:318) at io.trino.jdbc.TrinoResultSet.create(TrinoResultSet.java:61) at io.trino.jdbc.TrinoStatement.internalExecute(TrinoStatement.java:262) at io.trino.jdbc.TrinoStatement.execute(TrinoStatement.java:240) at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.execute(JDBCStatementImpl.java:330) at org.jkiss.dbeaver.model.impl.jdbc.exec.JDBCStatementImpl.executeStatement(JDBCStatementImpl.java:131) ... 7 more Caused by: io.trino.spi.security.AccessDeniedException: Access Denied: Cannot create schema delta.trino_poc at io.trino.spi.security.AccessDeniedException.denyCreateSchema(AccessDeniedException.java:150) at io.trino.spi.security.AccessDeniedException.denyCreateSchema(AccessDeniedException.java:145) at io.trino.spi.security.SystemAccessControl.checkCanCreateSchema(SystemAccessControl.java:286) at io.trino.security.AccessControlManager.lambda$checkCanCreateSchema$11(AccessControlManager.java:340) at io.trino.security.AccessControlManager.systemAuthorizationCheck(AccessControlManager.java:1363) at io.trino.security.AccessControlManager.checkCanCreateSchema(AccessControlManager.java:340) at io.trino.security.ForwardingAccessControl.checkCanCreateSchema(ForwardingAccessControl.java:125) at io.trino.tracing.TracingAccessControl.checkCanCreateSchema(TracingAccessControl.java:166) at io.trino.execution.CreateSchemaTask.internalExecute(CreateSchemaTask.java:117) at io.trino.execution.CreateSchemaTask.execute(CreateSchemaTask.java:82) at io.trino.execution.CreateSchemaTask.execute(CreateSchemaTask.java:54) at io.trino.execution.DataDefinitionExecution.start(DataDefinitionExecution.java:145) at io.trino.execution.SqlQueryManager.createQuery(SqlQueryManager.java:256) at io.trino.dispatcher.LocalDispatchQuery.startExecution(LocalDispatchQuery.java:145) at io.trino.dispatcher.LocalDispatchQuery.lambda$waitForMinimumWorkers$2(LocalDispatchQuery.java:129) at io.airlift.concurrent.MoreFutures.lambda$addSuccessCallback$12(MoreFutures.java:568) at io.airlift.concurrent.MoreFutures$3.onSuccess(MoreFutures.java:543) at com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1133) at io.trino.$gen.Trino_423____20240129_094308_2.run(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:833)

When I grep the coordinator logs the only policy id I can see in the logs is 27;

2024-01-29T20:02:57.087Z INFO Query-20240129_200257_00416_c9776-2066 stdout 20:02:57.087 [Query-20240129_200257_00416_c9776-2066] DEBUG org.apache.ranger.plugin.policyevaluator.RangerDefaultPolicyEvaluator - ==> RangerDefaultPolicyEvaluator.evaluate(policyId=27, RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={catalog=delta; } }} accessType={use} user={005269} userGroups={MY USER GROUP LIST } userRoles={} accessTime={Mon Jan 29 20:02:57 UTC 2024} clientIPAddress={null} forwardedAddresses={} remoteIPAddress={null} clientType={null} action={null} requestData={null} sessionId={null} resourceMatchingScope={SELF} clusterName={} clusterType={} context={token:USER={005269} } }, RangerAccessResult={isAccessDetermined={false} isAllowed={false} isAuditedDetermined={false} isAudited={false} auditLogId={null} policyType={0} policyId={-1} zoneName={null} auditPolicyId={-1} policyVersion={null} evaluatedPoliciesCount={1} reason={null} additionalInfo={}})

Policy ID 27 is the default "all - catalog, schema, table, column" configuration:

image

image

Is there any point that I'm missin?

Thank you, Kind Regards.

ebyhr commented 8 months ago

Please ask in Ranger community. The plugin isn't managed in this repository.