[jira] [Updated] (IMPALA-10122) Allow view authorization to be deferred until selection time

Tue, 01 Sep 2020 10:20:56 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-10122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fang-Yu Rao updated IMPALA-10122:
---------------------------------
    Summary: Allow view authorization to be deferred until selection time  
(was: Allow view authorization to be deferred until being selected)

> Allow view authorization to be deferred until selection time
> ------------------------------------------------------------
>
>                 Key: IMPALA-10122
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10122
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Frontend
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> Recall that currently Impala performs authorization with Ranger to check 
> whether the requesting user is granted the privilege of {{SELECT}} for the 
> underlying tables when a view is created and thus does not check whether the 
> requesting user is granted the {{SELECT}} privilege on the underlying tables 
> when the view is selected.
> On the other hand, currently a Spark user is not allowed to directly create a 
> view in HMS without involving the Impala frontend, because Spark clients are 
> normal users (v.s. superusers). To relax this restriction, it would be good 
> to allow a Spark user to directly create a view in HMS without involving the 
> Impala frontend. However, it can be seen that the authorization check is 
> skipped for views created in this manner since HMS currently does not possess 
> the capability to perform the authorization. Due to this relaxation, for a 
> view created this way, the authorization of the view needs to be carried out 
> at the selection time to make sure the requesting user is indeed granted the 
> {{SELECT}} privileges on the underlying tables defined in the view.
> There is also corresponding Hive JIRA at HIVE-24026. Refer there for further 
> details.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to