[impala] branch master updated: IMPALA-11281: Load table metadata for ResetMetadataStmt

Tue, 16 Aug 2022 17:56:29 -0700 

This is an automated email from the ASF dual-hosted git repository.

joemcdonnell pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git


The following commit(s) were added to refs/heads/master by this push:
     new d8c744aab IMPALA-11281: Load table metadata for ResetMetadataStmt
d8c744aab is described below

commit d8c744aab821d6c9f8cc4b5dda1c125c03d6e44e
Author: Fang-Yu Rao <[email protected]>
AuthorDate: Mon May 23 12:02:26 2022 -0700

    IMPALA-11281: Load table metadata for ResetMetadataStmt
    
    This patch loads the metadata of the table for ResetMetadataStmt if the
    table is not null and Ranger table masking is supported so that the
    information about the columns of the table could be used to check
    whether masking is enabled for any column in the table and thus the
    update operation on a table where there is a masking policy defined on
    any column could be blocked.
    
    Testing:
     - Added an E2E test to verify the update operation on a table by a
       requesting user would be denied if there is a column masking policy
       defined on any column in the table for the requesting user even
       though the table metadata have been invalidated immediately before
       the requesting user attempts to invalidate the table metadata again.
    
    Change-Id: I0c90b413974223886661697f11844d99a68fdebf
    Reviewed-on: http://gerrit.cloudera.org:8080/18561
    Reviewed-by: Impala Public Jenkins <[email protected]>
    Tested-by: Impala Public Jenkins <[email protected]>
---
 .../apache/impala/analysis/StmtMetadataLoader.java | 12 ++++++++-
 tests/authorization/test_ranger.py                 | 29 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git 
a/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java 
b/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
index 5da12183f..9bceee118 100644
--- a/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
+++ b/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
@@ -347,7 +347,17 @@ public class StmtMetadataLoader {
   private Set<TableName> collectTableCandidates(StatementBase stmt) {
     Preconditions.checkNotNull(stmt);
     List<TableRef> tblRefs = new ArrayList<>();
-    stmt.collectTableRefs(tblRefs);
+    // The information about whether table masking is supported is not 
available to
+    // ResetMetadataStmt so we collect the TableRef for ResetMetadataStmt 
whenever
+    // applicable.
+    if (stmt instanceof ResetMetadataStmt
+        && fe_.getAuthzFactory().getAuthorizationConfig().isEnabled()
+        && fe_.getAuthzFactory().supportsTableMasking()) {
+      TableName tableName = ((ResetMetadataStmt) stmt).getTableName();
+      if (tableName != null) tblRefs.add(new TableRef(tableName.toPath(), 
null));
+    } else {
+      stmt.collectTableRefs(tblRefs);
+    }
     Set<TableName> tableNames = new HashSet<>();
     for (TableRef ref: tblRefs) {
       tableNames.addAll(Path.getCandidateTables(ref.getPath(), sessionDb_));
diff --git a/tests/authorization/test_ranger.py 
b/tests/authorization/test_ranger.py
index 049d3f4f1..9a989395c 100644
--- a/tests/authorization/test_ranger.py
+++ b/tests/authorization/test_ranger.py
@@ -1121,6 +1121,35 @@ class TestRanger(CustomClusterTestSuite):
       for i in range(policy_cnt):
         TestRanger._remove_policy(unique_name + str(i))
 
+  @pytest.mark.execute_serially
+  @CustomClusterTestSuite.with_args(
+    impalad_args=IMPALAD_ARGS, catalogd_args=CATALOGD_ARGS)
+  def test_block_metadata_update(self, vector, unique_name):
+    """Test that the metadata update operation on a table by a requesting user 
is denied
+       if there exists a column masking policy defined on any column in the 
table for the
+       requesting user even when the table metadata (e.g., list of columns) 
have been
+       invalidated immediately before the requesting user tries to invalidate 
the table
+       metadata again. This test would have failed if we did not load the 
table metadata
+       for ResetMetadataStmt."""
+    user = getuser()
+    admin_client = self.create_impala_client()
+    non_owner_client = self.create_impala_client()
+    try:
+      TestRanger._add_column_masking_policy(
+          unique_name, user, "functional", "alltypestiny", "id",
+          "CUSTOM", "id * 100")
+      self.execute_query_expect_success(admin_client,
+          "invalidate metadata functional.alltypestiny", user=ADMIN)
+      admin_client.execute("grant all on server to user {0}".format(user))
+      result = self.execute_query_expect_failure(
+          non_owner_client, "invalidate metadata functional.alltypestiny", 
user=user)
+      assert "User '{0}' does not have privileges to execute " \
+          "'INVALIDATE METADATA/REFRESH' on: 
functional.alltypestiny".format(user) \
+          in str(result)
+    finally:
+      TestRanger._remove_policy(unique_name)
+      admin_client.execute("revoke all on server from user {0}".format(user))
+
   @pytest.mark.execute_serially
   @CustomClusterTestSuite.with_args(
     impalad_args=IMPALAD_ARGS, catalogd_args=CATALOGD_ARGS)

Reply via email to