ASF subversion and git services commented on IMPALA-9223:

Commit d66610837e53965cb969b78116aec58164bb8548 in impala's branch 
refs/heads/master from stiga-huang
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=d666108 ]

IMPALA-9009: Core support for Ranger column masking

Ranger provides column masking policies about how to show masked values
to specific users when reading specific columns. This patch adds support
to rewrite the query AST based on column masking policies.

We perform the column masking policies by replacing the TableRef with a
subquery doing the masking. For instance, the following query
  select c_id, c_name from customer c join orders on c_id = o_cid
will be transfomed into
  select c_id, c_name  from (
    select mask1(c_id) as c_id, mask2(c_name) as c_name from customer
  ) c
  join orders
  on c_id = o_cid

The transfomation is done in AST resolution. Just like view resolution,
if the table needs masking we replace it with a subquery(InlineViewRef)
containing the masking expressions.

This patch only adds support for mask types that don't require builtin
mask functions. So currently supported masking types are MASK_NULL and

Current Limitations:
 - Users are required to have privileges on all columns of a masked
   table(IMPALA-9223), since the table mask subquery contains all the

 - Add e2e tests for masked results
 - Run core tests

Change-Id: I4cad60e0e69ea573b7ecfc011b142c46ef52ed61
Reviewed-on: http://gerrit.cloudera.org:8080/14894
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>

> Don't require privileges on unmaterialized columns
> --------------------------------------------------
>                 Key: IMPALA-9223
>                 URL: https://issues.apache.org/jira/browse/IMPALA-9223
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>            Reporter: Quanlong Huang
>            Priority: Major
> Impala requires user privileges on all columns in the query, no matter 
> whether those columns are materialized. This is a different behavior than 
> Hive's.
> For instance, for query "{{select id from (select * from customer_tiny) t}}", 
> only the {{id}} column is materialized. Hive only requires SELECT privilege 
> on the {{id}} column. However, Impala requires SELECT privileges on the table 
> or all columns of the table.
> We should consider taking the same behavior of Hive.

This message was sent by Atlassian Jira

To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to