[
https://issues.apache.org/jira/browse/IMPALA-7074?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adam Holley updated IMPALA-7074:
--------------------------------
Description:
When objects are created and owner privilege is enabled in sentry, we should
create an owner privilege in the catalog without waiting for the next sentry
poll to get the owner privilege. This should also be done for DROP DB/Table,
and ALTER DB/Table set owner. These privileges should mirror the privileges
that are created in Sentry. As with other GRANT operations, the results of the
"SHOW GRANT ROLE" statements will have a create date of NULL for privileges
that have not been refreshed from Sentry.
For this Jira, we're adding code to the various catalog operations to create or
remove privileges as necessary. Because catalogd does not have the server_name
set, we opted to pass the server_name as part of the catalog operations so the
catalog is able to create the privileges.
Additionally, because we want to ensure consistency with the sentry, we grab
the SentryOwnerPrivilegeType from sentry instead of reading from the local
config file.
This change requires a new series of tests that will execute both with and
without data refreshed from Sentry privilege database.
was:When objects are created and owner privilege is enabled in sentry, we
should create an owner privilege in the catalog without waiting for the next
sentry poll to get the owner privilege. This should also be done for DROP
DB/Table, and ALTER DB/Table set owner.
> Update OWNER privilege on CREATE, DROP, and ALTER SET OWNER
> -----------------------------------------------------------
>
> Key: IMPALA-7074
> URL: https://issues.apache.org/jira/browse/IMPALA-7074
> Project: IMPALA
> Issue Type: Sub-task
> Components: Frontend
> Reporter: Fredy Wijaya
> Assignee: Adam Holley
> Priority: Major
> Labels: security
> Fix For: Impala 3.1.0
>
>
> When objects are created and owner privilege is enabled in sentry, we should
> create an owner privilege in the catalog without waiting for the next sentry
> poll to get the owner privilege. This should also be done for DROP DB/Table,
> and ALTER DB/Table set owner. These privileges should mirror the privileges
> that are created in Sentry. As with other GRANT operations, the results of
> the "SHOW GRANT ROLE" statements will have a create date of NULL for
> privileges that have not been refreshed from Sentry.
> For this Jira, we're adding code to the various catalog operations to create
> or remove privileges as necessary. Because catalogd does not have the
> server_name set, we opted to pass the server_name as part of the catalog
> operations so the catalog is able to create the privileges.
> Additionally, because we want to ensure consistency with the sentry, we grab
> the SentryOwnerPrivilegeType from sentry instead of reading from the local
> config file.
> This change requires a new series of tests that will execute both with and
> without data refreshed from Sentry privilege database.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
