[jira] [Updated] (IMPALA-2595) Impala inconsistently checks authorization on query and explain query

Greg Rahn (JIRA) Mon, 25 Jun 2018 18:58:47 -0700


     [ 
https://issues.apache.org/jira/browse/IMPALA-2595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Greg Rahn updated IMPALA-2595:
------------------------------
    Summary: Impala inconsistently checks authorization on query and explain 
query  (was: Impala does inconsistently authorization check on query and 
explain query)

> Impala inconsistently checks authorization on query and explain query
> ---------------------------------------------------------------------
>
>                 Key: IMPALA-2595
>                 URL: https://issues.apache.org/jira/browse/IMPALA-2595
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: Impala 2.2
>            Reporter: Juan Yu
>            Priority: Minor
>
> Impala does different authorization check on select query and explain select 
> query.
> For example: 
> create table foo (col int);
> create view foo_vw1 as (select * from foo);
> create view foo_vw as (select *, now() from foo);
> select * from foo_vw; 
> Impala only checks if user can access the view
> {code}
> I1022 08:49:02.224016 25705 Frontend.java:775] analyze query select * from 
> foo_vw
> I1022 08:49:02.226773 25705 ResourceAuthorizationProvider.java:82] 
> Authorization Request for Subject [name=user1] [Server [name=server1], 
> Database [name=default], Table [name=foo_vw]] and [SELECT]
> I1022 08:49:02.236524 25705 SimpleDBPolicyEngine.java:76] Getting permissions 
> for [analyst, user1]
> I1022 08:49:02.236763 25705 SimpleDBPolicyEngine.java:80] result = 
> [server=server1->db=iah_crm_analysis, server=server1->db=default, 
> server=server1->db=iah_crm_analysis_views, 
> server=server1->db=iah_crm_analysis_views->table=simple_view->action=select, 
> server=server1->db=_impala_builtins]
> I1022 08:49:02.237030 25705 ResourceAuthorizationProvider.java:113] 
> ProviderPrivilege server=server1->db=iah_crm_analysis, RequestPrivilege 
> Server=server1->Db=default->Table=foo_vw1->action=select, RoleSet, 
> ActiveRoleSet = [ roles = ALL , Result false
> I1022 08:49:02.237216 25705 ResourceAuthorizationProvider.java:113] 
> ProviderPrivilege server=server1->db=default, RequestPrivilege 
> Server=server1->Db=default->Table=foo_vw1->action=select, RoleSet, 
> ActiveRoleSet = [ roles = ALL , Result true
> I1022 08:49:02.237313 25705 Frontend.java:849] create plan
> {code}
> explain select * from foo_vw1; 
> Impala checks if user can access both the view and the underlying table
> {code}
> I1022 08:45:15.358471 25705 Frontend.java:775] analyze query explain select * 
> from foo_vw1
> I1022 08:45:15.359199 25705 Frontend.java:724] Requesting prioritized load of 
> table(s): default.foo_vw1
> I1022 08:45:18.388422 25705 ResourceAuthorizationProvider.java:82] 
> Authorization Request for Subject [name=user1] [Server [name=server1], 
> Database [name=default], Table [name=foo_vw1]] and [SELECT]
> I1022 08:45:18.393242 25705 ResourceAuthorizationProvider.java:82] 
> Authorization Request for Subject [name=user1] [Server [name=server1], 
> Database [name=default], Table [name=foo]] and [SELECT]
> {code}
> explain select * from foo_vw; 
> if the view contains builtin function, Impala will check if user can access 
> the builtin database "_impala_builtins" as well.
> {code}
> I1022 08:41:35.863819 25705 Frontend.java:775] analyze query explain select * 
> from foo_vw
> I1022 08:41:35.864527 25705 Frontend.java:724] Requesting prioritized load of 
> table(s): default.foo_vw
> I1022 08:41:40.283463 25705 ResourceAuthorizationProvider.java:82] 
> Authorization Request for Subject [name=user1] [Server [name=server1], 
> Database [name=default], Table [name=foo_vw]] and [SELECT]
> I1022 08:41:40.284415 25705 ResourceAuthorizationProvider.java:82] 
> Authorization Request for Subject [name=user1] [Server [name=server1], 
> Database [name=default], Table [name=foo]] and [SELECT]
> I1022 08:41:40.288105 25705 ResourceAuthorizationProvider.java:82] 
> Authorization Request for Subject [name=user1] [Server [name=server1], 
> Database [name=_impala_builtins]] and [INSERT]
> I1022 08:41:40.289621 25705 ResourceAuthorizationProvider.java:82] 
> Authorization Request for Subject [name=user1] [Server [name=server1], 
> Database [name=_impala_builtins]] and [INSERT]
> {code}
> This doesn't seem make sense.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (IMPALA-2595) Impala inconsistently checks authorization on query and explain query

Reply via email to