Repository: incubator-impala Updated Branches: refs/heads/master 1b0852c9d -> fba3fc21f
IMPALA-5638: [DOCS] Add known issue for Impala-Kudu-Sentry issue Change-Id: I93e99aec2fcbc12f94678e60ebb9d150e72fc77d Reviewed-on: http://gerrit.cloudera.org:8080/8421 Reviewed-by: Bharath Vissapragada <[email protected]> Tested-by: Impala Public Jenkins Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/fba3fc21 Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/fba3fc21 Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/fba3fc21 Branch: refs/heads/master Commit: fba3fc21fb8046ee885be20ab9a3b4612ebb7b53 Parents: 1b0852c Author: John Russell <[email protected]> Authored: Mon Oct 30 16:29:32 2017 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Tue Oct 31 21:17:33 2017 +0000 ---------------------------------------------------------------------- docs/topics/impala_known_issues.xml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/fba3fc21/docs/topics/impala_known_issues.xml ---------------------------------------------------------------------- diff --git a/docs/topics/impala_known_issues.xml b/docs/topics/impala_known_issues.xml index 28196f5..890833f 100644 --- a/docs/topics/impala_known_issues.xml +++ b/docs/topics/impala_known_issues.xml @@ -534,6 +534,27 @@ https://issues.apache.org/jira/browse/IMPALA-2144 - Don't have </conbody> + <concept id="IMPALA-5638"> + <title>Malicious user can gain unauthorized access to Kudu table data via Impala</title> + <conbody> + <p> + A malicious user with <codeph>ALTER</codeph> permissions on an Impala table can access any + other Kudu table data by altering the table properties to make it <q>external</q> + and then changing the underlying table mapping to point to other Kudu tables. + This violates and works around the authorization requirement that creating a + Kudu external table via Impala requires an <codeph>ALL</codeph> privilege at the server scope. + This privilege requirement for <codeph>CREATE</codeph> commands is enforced to precisely avoid + this scenario where a malicious user can change the underlying Kudu table + mapping. The fix is to enforce the same privilege requirement for <codeph>ALTER</codeph> + commands that would make existing non-external Kudu tables external. + </p> + <p><b>Bug:</b> <xref keyref="IMPALA-5638">IMPALA-5638</xref></p> + <p><b>Severity:</b> High</p> + <p><b>Workaround:</b> A temporary workaround is to revoke <codeph>ALTER</codeph> permissions on Impala tables.</p> + <p><b>Resolution:</b> Upgrade to an Impala version containing the fix for <xref keyref="IMPALA-5638">IMPALA-5638</xref>.</p> + </conbody> + </concept> + <concept id="renewable_kerberos_tickets"> <!-- Not part of Alex's spreadsheet. Not associated with a JIRA number AFAIK. -->
