Repository: incubator-impala Updated Branches: refs/heads/master 98092dd6c -> 625964107
IMPALA-4951: Fix database visibility for user with only column privilege Currently a database is not visible to a user that only has column level privileges for tables in that database. This patch will make the database visible, which is the expected behavior in this case. Testing: added a test case to verify the same. Change-Id: Id77904876729c0223fd6ace2d5e7199bd700a33a Reviewed-on: http://gerrit.cloudera.org:8080/8168 Reviewed-by: Bikramjeet Vig <[email protected]> Tested-by: Impala Public Jenkins Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/0601f06c Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/0601f06c Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/0601f06c Branch: refs/heads/master Commit: 0601f06cb62549e132e1a4a1a272e72fb3839e30 Parents: 98092dd Author: Bikramjeet Vig <[email protected]> Authored: Mon Sep 25 19:59:24 2017 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Wed Oct 4 03:14:20 2017 +0000 ---------------------------------------------------------------------- .../org/apache/impala/service/Frontend.java | 3 +- .../queries/QueryTest/grant_revoke.test | 71 ++++++++++++++++++++ 2 files changed, 73 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/0601f06c/fe/src/main/java/org/apache/impala/service/Frontend.java ---------------------------------------------------------------------- diff --git a/fe/src/main/java/org/apache/impala/service/Frontend.java b/fe/src/main/java/org/apache/impala/service/Frontend.java index 60e84b4..63941c1 100644 --- a/fe/src/main/java/org/apache/impala/service/Frontend.java +++ b/fe/src/main/java/org/apache/impala/service/Frontend.java @@ -58,6 +58,7 @@ import org.apache.impala.analysis.TableName; import org.apache.impala.analysis.TruncateStmt; import org.apache.impala.authorization.AuthorizationChecker; import org.apache.impala.authorization.AuthorizationConfig; +import org.apache.impala.authorization.AuthorizeableTable; import org.apache.impala.authorization.ImpalaInternalAdminUser; import org.apache.impala.authorization.PrivilegeRequest; import org.apache.impala.authorization.PrivilegeRequestBuilder; @@ -670,7 +671,7 @@ public class Frontend { return true; } PrivilegeRequest request = new PrivilegeRequestBuilder() - .any().onAnyTable(db.getName()).toRequest(); + .any().onAnyColumn(db.getName(), AuthorizeableTable.ANY_TABLE_NAME).toRequest(); return authzChecker_.get().hasAccess(user, request); } http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/0601f06c/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test ---------------------------------------------------------------------- diff --git a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test b/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test index 3f219c5..f78f1f5 100644 --- a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test +++ b/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test @@ -741,10 +741,81 @@ scope, database, table, column, uri, privilege, grant_option, create_time STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING ==== ---- QUERY +# IMPALA-4951: make sure database is visible to a user having only column level access +# to a table in the database +grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME +---- RESULTS +==== +---- QUERY +create role grant_revoke_test_COLUMN_PRIV +==== +---- QUERY +grant role grant_revoke_test_COLUMN_PRIV to group $GROUP_NAME; +==== +---- QUERY +create database if not exists grant_rev_db; +==== +---- QUERY +create table grant_rev_db.test_tbl4 (col1 int, col2 int); +==== +---- QUERY +revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME +==== +---- QUERY +show grant role grant_revoke_test_COLUMN_PRIV +---- RESULTS +---- LABELS +scope, database, table, column, uri, privilege, grant_option, create_time +---- TYPES +STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING +==== +---- QUERY +# grant_rev_db is not visible as user does not have any level of access to it +show databases +---- RESULTS +'default','Default Hive database' +---- TYPES +STRING,STRING +==== +---- QUERY +grant select(col1) on table grant_rev_db.test_tbl4 to role grant_revoke_test_COLUMN_PRIV +==== +---- QUERY +show grant role grant_revoke_test_COLUMN_PRIV +---- RESULTS: VERIFY_IS_EQUAL_SORTED +'column','grant_rev_db','test_tbl4','col1','','select',false,regex:.+ +---- LABELS +scope, database, table, column, uri, privilege, grant_option, create_time +---- TYPES +STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING +==== +---- QUERY +show databases +---- RESULTS +'default','Default Hive database' +'grant_rev_db','' +---- TYPES +STRING,STRING +==== +---- QUERY +grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME +---- RESULTS +==== +---- QUERY +drop database if exists grant_rev_db cascade +==== +---- QUERY +revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME +==== +---- QUERY +revoke role grant_revoke_test_COLUMN_PRIV from group $GROUP_NAME +==== +---- QUERY # Cleanup test roles drop role grant_revoke_test_ALL_SERVER; drop role grant_revoke_test_SELECT_INSERT_TEST_TBL; drop role grant_revoke_test_ALL_URI; drop role grant_revoke_test_ROOT; +drop role grant_revoke_test_COLUMN_PRIV; ---- RESULTS ====
