[jira] [Commented] (IMPALA-7325) SHOW CREATE VIEW on a view that references built-in functions requires access to the built-in database

[ASF subversion and git services (JIRA)]

    [ 
https://issues.apache.org/jira/browse/IMPALA-7325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16569301#comment-16569301
 ] 

ASF subversion and git services commented on IMPALA-7325:
---------------------------------------------------------

Commit 504e9955a1481425c9fde64f9259d4b16b0f27c5 in impala's branch 
refs/heads/master from [~fredyw]
[ https://git-wip-us.apache.org/repos/asf?p=impala.git;h=504e995 ]

IMPALA-7325: Incorrect SHOW CREATE VIEW with built-in functions

In the prior code, the authorization checker for the masked privilege
requests skips the check for system database access. As a result, certain
commands, such as SHOW CREATE VIEW that references built-in database
requires permission to access to the built-in database where accessing
built-in database should always be allowed. The patch fixes it by using
the authorizePrivilegeRequest() method that does a check on the system
database similar to how other authorization checks are performed.

Testing:
- Added new authorization test
- Ran all FE tests

Change-Id: Ia164c55fd9459cf5f11eb72561e9cd4ffe1d5367
Reviewed-on: http://gerrit.cloudera.org:8080/10995
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>


> SHOW CREATE VIEW on a view that references built-in functions requires access 
> to the built-in database
> ------------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-7325
>                 URL: https://issues.apache.org/jira/browse/IMPALA-7325
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Frontend
>    Affects Versions: Impala 3.0, Impala 2.12.0
>            Reporter: Fredy Wijaya
>            Assignee: Fredy Wijaya
>            Priority: Major
>              Labels: security
>
> {noformat}
> [localhost:21000] default> create table foo.t(i int);
> [localhost:21000] default> create view foo.v1 as select count(*) from foo.t;
> [localhost:21000] default> create view foo.v2 as select * from foo.t;
> [localhost:21000] default> grant select on database foo to role foo_role;
> [localhost:21000] default> show create view foo.v1;
> Query: show create view foo.v1
> ERROR: AuthorizationException: User 'impdev' does not have privileges to see 
> the definition of view 'foo.v1'.
> [localhost:21000] default> show create view foo.v2;
> Query: show create view foo.v2
> +-----------------------+
> | result                |
> +-----------------------+
> | CREATE VIEW foo.v2 AS |
> | SELECT * FROM foo.t   |
> +-----------------------+
> Fetched 1 row(s) in 0.01s
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org