Alex Behm has posted comments on this change. Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions ......................................................................
Patch Set 1: (4 comments) http://gerrit.cloudera.org:8080/#/c/3520/1//COMMIT_MSG Commit Message: PS1, Line 15: Creating Can you summarize the new privilege requirements here and in the JIRA? My understanding is that CREATE FUNCTION needs CREATE privs on the database and ALL privs on the HDFS URI of the function library. (similar for DROP) http://gerrit.cloudera.org:8080/#/c/3520/1/fe/src/main/java/com/cloudera/impala/analysis/CreateFunctionStmtBase.java File fe/src/main/java/com/cloudera/impala/analysis/CreateFunctionStmtBase.java: Line 161: location_.analyze(analyzer, Privilege.ALL, FsAction.READ); For my understanding, any idea why READ on the location is not sufficient? The CREATE FUNCTION does not write/create anything in that URL. In any case, better to be consistent with Hive. http://gerrit.cloudera.org:8080/#/c/3520/1/fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java File fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java: Line 1809 we should still test that the admin can do everything Line 1813: sentryService.grantRoleToGroup(USER, "udf_uri", USER.getName()); add tests to demonstrate what SHOW FUNCTIONS commands the udf_uri user can run -- To view, visit http://gerrit.cloudera.org:8080/3520 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c Gerrit-PatchSet: 1 Gerrit-Project: Impala Gerrit-Branch: cdh5-trunk Gerrit-Owner: Bharath Vissapragada <[email protected]> Gerrit-Reviewer: Alex Behm <[email protected]> Gerrit-Reviewer: Dimitris Tsirogiannis <[email protected]> Gerrit-HasComments: Yes
