[
https://issues.apache.org/jira/browse/IMPALA-8100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16798508#comment-16798508
]
ASF subversion and git services commented on IMPALA-8100:
---------------------------------------------------------
Commit 656a2e8af04d23623da9fbcb4c2d2e8153d85083 in impala's branch
refs/heads/master from Fredy Wijaya
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=656a2e8 ]
IMPALA-8100: Add initial support for Ranger
This patch adds an initial support for Ranger that can be enabled via
the following flags in both impalad and catalogd to do enforcement.
- ranger_service_type=hive
- ranger_app_id=some_app_id
- authorization_factory_class=\
org.apache.impala.authorization.ranger.RangerAuthorizationFactory
The Ranger plugin for Impala uses Hive service definition to allow
sharing Ranger policies between Hive and Impala. Temporarily the REFRESH
privilege uses "read" access type and it will be updated in the later
patch once Ranger supports "refresh" access type.
There's a change in DESCRIBE <table> privilege requirement to use ANY
privilege instead of VIEW_METADATA privilege as the first-level check
to play nicely with Ranger. This is not a security risk since the
column-level filtering logic after the first-level check will use
VIEW_METADATA privilege to filter out unauthorized column access. In
other words, DESCRIBE <table> may return an empty result instead of
an authorization error as long as there exists any privilege in the
given table.
This patch updates AuthorizationStmtTest with a parameterized test that
runs the tests against Sentry and Ranger.
Testing:
- Updated AuthorizationStmtTest with Ranger
- Ran all FE tests
- Ran all E2E authorization tests
Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276
Reviewed-on: http://gerrit.cloudera.org:8080/12632
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Add support for Apache Ranger as an alternative authorization provider
> ----------------------------------------------------------------------
>
> Key: IMPALA-8100
> URL: https://issues.apache.org/jira/browse/IMPALA-8100
> Project: IMPALA
> Issue Type: Sub-task
> Components: Catalog
> Reporter: Fredy Wijaya
> Assignee: Fredy Wijaya
> Priority: Major
> Fix For: Impala 3.3.0
>
>
> Currently Impala only support Apache Sentry (https://sentry.apache.org/) as
> an authorization provider. We need to support Apache Ranger
> (https://ranger.apache.org/) as an alternative authorization provider.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
