ASF subversion and git services commented on IMPALA-8228:

Commit ced6e98fb4c361efa4bcc7e5441ccdb8debba8e9 in impala's branch 
refs/heads/master from Bharath Vissapragada
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=ced6e98 ]

IMPALA-8228: Ownership support for Ranger authz

Without this patch, explicit privileges are needed even
for owners of databases/tables to perform actions on them.

Example: 'user' is the owner of database 'foo'. To create
a table 't' under 'foo', 'user' needs to be granted a CREATE
privilege on 'foo'

That is unintuitive from a user POV since users expect owners
to have ALL privileges on the objects they own. This patch extends
that support to Impala's ranger authorization plugin.

Ranger natively supports the concept of ownership by letting the
callers pass the ownership context to RangerAccessResourceImpl.
This patch plumbs the owner information for the authorizables
(currently only supported for Tables / Databases) which is then
evaulated during authorization.

For the ownership based authorization to work, ranger-admin side
policy on {OWNER} user needs to be defined.

Testing: Added some unit-tests and e-e tests that cover scenarios
where ownership is used for authorization.

Caveat: Ownership is a part of HMS thrift object. Since we do not
aggressively load HMS schemas during start-up, coordinators with
cold caches can result in weird table listings due to lack of
metadata needed for verifying ownership. This should be fixed
separately to make the behavior more consistent and user friendly.
(Added comments in the code wherever necessary along with a test
to simulate this).

Change-Id: I737b7164a3e7afb9996b3402e6872effd663f7b4
Reviewed-on: http://gerrit.cloudera.org:8080/14106
Reviewed-by: Bharath Vissapragada <bhara...@cloudera.com>
Tested-by: Bharath Vissapragada <bhara...@cloudera.com>

> Support for object ownership with Ranger authorization provider
> ---------------------------------------------------------------
>                 Key: IMPALA-8228
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8228
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Catalog, Frontend
>            Reporter: Fredy Wijaya
>            Priority: Major
> This ticket should investigate whether it's feasible to implement object 
> ownership with Ranger. If it's not feasible, we should update the code to act 
> accordingly when Impala is enabled with Ranger.

This message was sent by Atlassian Jira

To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to