Presto: Ranger integration with presto works on "Release 317" but fails on versions later

can u post whole stacktrace?
I'm guessing prestosql/presto#1624 in release 320 and prestosql/presto#171 in release 318 broke it

@har5havardhan Thanks for filing the JIRA ticket https://issues.apache.org/jira/browse/RANGER-2747. Let me share it so that other people can follow it.
Could you confirm if https://github.com/ebyhr/ranger/commit/5f01488b477dc15e9c256346efad3f5d239515f3 resolve the issue?

There is an api change in Presto that makes the plugin incompatible. I’m holding off for presto 331 to release a new version with a compatible api and row/column filtering

https://issues.apache.org/jira/browse/RANGER-2754

@ebyhr ebyhr/ranger@5f01488 with same changes in file ranger/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java resolved the issue.

But we are facing some another issue

1. query: describe tablename
   error: io.prestosql.spi.security.AccessDeniedException: Access Denied: Cannot show columns of table tablename

1. When we create a group in ranger and add users in that group then we still got access denied for that user

@mit012 What Presto version are you using?

@mit012 "same changes" - did u make different changes than just what was in ebyhrs PR? Also did you ever get access working before for groups? as it only works if u add local linux user/groups

@ebyhr We are using presto version 323.
@tooptoop4 yes we have changes in ranger/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java also (replaced Identity with SystemSecurityContext).
We do not have access for groups before also.

@mit012 Added one more commit https://github.com/ebyhr/ranger/commit/841a4d59b4402496edc167180dec8ae55459c4bb to use version 323. Could you try again?

https://issues.apache.org/jira/browse/RANGER-2754 has an attached patch that supports Presto 331 and includes Row filtering, Column Masking and Presto groups support. For UGI group support set "ranger.use_ugi=true".

Note that you will need to upgrade your service definitions.

Let me know how testing goes.

@ebyhr Yes its working

So I don't run into the same issue har5havardhan has, what are the latest stable versions of prestosql and Ranger that work together?

Will prestosql here: https://repo1.maven.org/maven2/io/prestosql/presto-server/331/presto-server-331.tar.gz
and ranger branch: https://github.com/apache/ranger/tree/ranger-2.0
work together?

@KentonParton no. The above linked issued has a patch that works with Presto 331. I think you need to be below 321 to have ranger 2.0 work

@bolkedebruin Have these changes been applied to any of the ranger branches yet? Personally, I am am just testing Presto and Ranger so if I can avoid running patches that would be great.

If patching is the only option, how do I go about running it? From what I have read, you have to run it on each file that needs to be updated. Is that correct?

Thanks for the help.

Found out how to apply the patch.

After applying the patch to ranger (master branch) and executing enable-presto-plugin.sh successfully, it appears that if you try to limit the columns or tables a user has access to, access is denied for the catalog. Masking is working as expected.

Since applying the patch, when navigating to the UI http://localhost:8080/ui/, NullPointer exceptions are thrown:

2020-04-10T13:41:17.912Z    WARN    http-worker-122 io.prestosql.server.ThrowableMapper Request failed for /ui/api/query
java.lang.NullPointerException
    at com.google.common.collect.ImmutableCollection$Builder.addAll(ImmutableCollection.java:415)
    at com.google.common.collect.ImmutableSet$Builder.addAll(ImmutableSet.java:507)
    at io.prestosql.security.AccessControlUtil.filterQueries(AccessControlUtil.java:51)
    at io.prestosql.server.ui.UiQueryResource.getAllQueryInfo(UiQueryResource.java:74)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
    at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:243)
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
    at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
    at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
    at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
    at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
    at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
    at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
    at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
    at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:755)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
    at io.airlift.http.server.ClassPathResourceFilter.doFilter(ClassPathResourceFilter.java:105)
    at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
    at io.prestosql.server.ui.FormWebUiAuthenticationManager.handleUiRequest(FormWebUiAuthenticationManager.java:128)
    at io.prestosql.server.security.AuthenticationFilter.doFilter(AuthenticationFilter.java:104)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
    at io.airlift.http.server.TraceTokenFilter.doFilter(TraceTokenFilter.java:63)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
    at io.airlift.http.server.TimingFilter.doFilter(TimingFilter.java:51)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:767)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1300)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1215)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
    at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:173)
    at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.Server.handle(Server.java:500)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
    at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
    at java.lang.Thread.run(Thread.java:748)

I believe this error has nothing to do with a ranger connector plugin, as the security check above is not exposed to connectors (it is a system access check).

Looking at the stack I don't see how a NPE is possible there unless there is a custom system access control installed that implements filterViewQueryOwnedBy as return null

If you want Presto > 317 take the latest patch from here: https://issues.apache.org/jira/browse/RANGER-2754 . It is undergoing review and has unit tests.

@dain my current plugin version actually does exactly that at the moment, so I need to fix that.

Patch has been updated and should not throw this NPE anymore @dain @KentonParton

@bolkedebruin thank you for updating the patch I will give it a try this evening.

Regarding the policies set in Ranger. When I limit a users access to anything other than full access, the following is displayed.

[4] Query failed (#20200410_183150_00081_q4erf): Access Denied: Cannot access catalog wemingle io.prestosql.spi.security.AccessDeniedException: Access Denied: Cannot access catalog wemingle

I am connecting to presto with the user "kentonparton" and this is the policy that I have created in Ranger.

If I provide full access, then this user is able to query data as expected but as soon as I limit something, access is denied at the catalog level.

Have you been able to limit which columns a user has access to or am I doing something wrong in Ranger?

You will need to create policies at the Catalog level, Schema level and Table level in order to ensure access.

Access determination does not drill down to lower levels. The default policy is deny and as such the first check will indeed end up with an access denied.

@bolkedebruin what policies should be created to allow just 1 tbl but not other tables in same schema? 'USE' priv (but not 'SELECT') at catalog and schema level ?

@bolkedebruin I applied the latest patch "0001-RANGER-2754-Upgrade-presto-dependency-and-improve-lo.patch". The queries are coming through to the UI now; however, all queries except "show catalogs" made from my IDE, DataGrip, are causing a "Query failed internal error NullPointerException". I have tried prestosql release 331 and 332.

Can you confirm that you are or are not seeing this. Thanks

I don't use an IDE to connect. Can you provide a stacktrace of that exception?

It just shows what I mentioned above "Query failed (#20200414_202708_00007_c5pcn): Internal error java.lang.NullPointerException" I would expect this to happen if you query it in any way, not just from an IDE.

Please have a look at the logs of Presto. For all its worth this could also be an error from your idea.

Update has been merged into Ranger and should be part of its 2.1 release.

@dain how do you view integrating the Plugin with Presto itself? The release cycle of Ranger is quite slow and changes to the security system in Presto happen quite frequently at the moment.

I can do the work for it.

@bolkedebruin were you able to run Presto and Ranger using Java 11? I was able to successfully run them together using Java 8 but ran into the following errors when using Java 11:

java.lang.NoClassDefFoundError: javax/annotation/PostConstruct

resolved this by adding javax.annotation-api and then ran into the following:

java.lang.NoClassDefFoundError: org/apache/ranger/plugin/classloader/RangerPluginClassLoader

No not yet. Ranger officially has support for Java 8 not for 11 yet

@bolkedebruin looks like Ranger 2.0 and master support version 11 commit and Jira.

javax.annotation-api needs to be included. Haven't resolved the classloader issue yet.

I built with latest snapshot it and the added javax.annotation and now presto can start. But when i query a table with like "select count(*) from movies" it says Access Denied: Cannot execute function count. When i look at logs it says:
java.lang.NoClassDefFoundError: org/apache/zookeeper/server/ByteBufferInputStream

when try to write audit log to solr. I dont understand why it does not include zookeeper since in assembly xml it have
org.apache.zookeeper:zookeeper:jar:${zookeeper.version}

With latest patch i can make it work. I have hive->default->movies table. First i should gave execute for procedures and functions for all users. Then i created use/show/select for hive and then default and the for all tables under default. But to make it work i think you should give ->information_schema->->* select for all users. Otherwise show tables are not working. If you want ide support i think you should give select grant to system->jdbc->-> for all users.

@ebyhr I am also facing some issues while configuring ranger in presto. Please go through this link in which I have mentioned my issue and log error trace.
Link:-
https://github.com/prestodb/presto/issues/15026

@ebyhr ebyhr/ranger@5f01488 with same changes in file ranger/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java resolved the issue.

But we are facing some another issue

1. query: describe tablename
   error: io.prestosql.spi.security.AccessDeniedException: Access Denied: Cannot show columns of table tablename
2. When we create a group in ranger and add users in that group then we still got access denied for that user

what changes you have done in above mention file RangerSystemAccessControl?

Hi,

I am trying to integrate ranger with presto and its working on "Release 317"
I followed the following documentation : https://cwiki.apache.org/confluence/display/RANGER/Presto+Plugin

But, when when I go with versions after that, It throws the following errors.

query: _SHOW CATALOGS_
error : _[65536] Query failed (#20200303_063413_00002_h5s89): Internal error java.lang.RuntimeException: java.lang.IllegalStateException_

query:_select * from hive.db_name.table_name limit 10_
error:_[4] Query failed (#20200303_063836_00000_x47vg): Access Denied: Cannot access catalog hive java.lang.RuntimeException: io.prestosql.spi.security.AccessDeniedException: Access Denied: Cannot access catalog hive_

I've tried versions 318,319,323,329 and i am facing similar errors. How do I solve this ?

Hi, Are you able to configure now ranger presto plugin still I am getting issues. Please go through this link in which I have mentioned my issue and log error trace.
Link:-
prestodb/presto#15026