Internal Jenkins has submitted this change and it was merged. Change subject: IMPALA-3915: Register privilege and audit requests when analyzing resolved table refs. ......................................................................
IMPALA-3915: Register privilege and audit requests when analyzing resolved table refs. The bug: We used to register privilege requests for table refs in TableRef.analyze() which only got called for unresolved TableRefs. As a result, a reference to a view that contains a subquery did not get properly authorized, explained as follows. 1. In the first analysis pass the view is replaced by a an InlineViewRef and we correctly register an authorizarion request. 2. We rewrite the subquery via the StmtRewriter and wipe the analysis state, but preserve the InlineViewRef that replaces the view reference. 3. The rewritten statement is analyzed again, but since an InlineViewRef is considered to be resolved, we never call TableRef.analyze(), and hence never register an authorization event for the view. The fix: We now register authorization and auditing events when calling analyze() on a resolved TableRef (BaseTableRef, InlineViewRef, CollectionTableRef). Change-Id: I18fa8af9a94ce190c5a3c29c3221c659a2ace659 Reviewed-on: http://gerrit.cloudera.org:8080/3783 Reviewed-by: Alex Behm <[email protected]> Tested-by: Internal Jenkins --- M fe/src/main/java/com/cloudera/impala/analysis/Analyzer.java M fe/src/main/java/com/cloudera/impala/analysis/BaseTableRef.java M fe/src/main/java/com/cloudera/impala/analysis/CollectionTableRef.java M fe/src/main/java/com/cloudera/impala/analysis/FromClause.java M fe/src/main/java/com/cloudera/impala/analysis/InlineViewRef.java M fe/src/main/java/com/cloudera/impala/analysis/TableRef.java M fe/src/test/java/com/cloudera/impala/analysis/AuditingTest.java M fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java M testdata/datasets/functional/functional_schema_template.sql M testdata/datasets/functional/schema_constraints.csv 10 files changed, 136 insertions(+), 104 deletions(-) Approvals: Internal Jenkins: Verified Alex Behm: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/3783 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: I18fa8af9a94ce190c5a3c29c3221c659a2ace659 Gerrit-PatchSet: 7 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Alex Behm <[email protected]> Gerrit-Reviewer: Alex Behm <[email protected]> Gerrit-Reviewer: Dimitris Tsirogiannis <[email protected]> Gerrit-Reviewer: Internal Jenkins
