[ 
https://issues.apache.org/jira/browse/IMPALA-10122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fang-Yu Rao updated IMPALA-10122:
---------------------------------
    Description: 
Recall that currently Impala performs authorization with Ranger to check 
whether the requesting user is granted the privilege of {{SELECT}} for the 
underlying tables when a view is created and thus does not check whether the 
requesting user is granted the {{SELECT}} privilege on the underlying tables 
when the view is selected.

On the other hand, currently a Spark user is not allowed to directly create a 
view in HMS without involving the Impala frontend, because Spark clients are 
normal users (v.s. superusers). To relax this restriction, it would be good to 
allow a Spark user to directly create a view in HMS without involving the 
Impala frontend. However, it can be seen that the authorization check is 
skipped for views created in this manner since HMS currently does not possess 
the capability to perform the authorization. Due to this relaxation, for a view 
created this way, the authorization of the view needs to be carried out at the 
selection time to make sure the requesting user is indeed granted the 
{{SELECT}} privileges on the underlying tables defined in the view.

There is also a corresponding Hive JIRA at HIVE-24026. Refer there for further 
details.

 

  was:
Recall that currently Impala performs authorization with Ranger to check 
whether the requesting user is granted the privilege of {{SELECT}} for the 
underlying tables when a view is created and thus does not check whether the 
requesting user is granted the {{SELECT}} privilege on the underlying tables 
when the view is selected.

On the other hand, currently a Spark user is not allowed to directly create a 
view in HMS without involving the Impala frontend, because Spark clients are 
normal users (v.s. superusers). To relax this restriction, it would be good to 
allow a Spark user to directly create a view in HMS without involving the 
Impala frontend. However, it can be seen that the authorization check is 
skipped for views created in this manner since HMS currently does not possess 
the capability to perform the authorization. Due to this relaxation, for a view 
created this way, the authorization of the view needs to be carried out at the 
selection time to make sure the requesting user is indeed granted the 
{{SELECT}} privileges on the underlying tables defined in the view.

There is also corresponding Hive JIRA at HIVE-24026. Refer there for further 
details.

 


> Allow view authorization to be deferred until selection time
> ------------------------------------------------------------
>
>                 Key: IMPALA-10122
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10122
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Frontend
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> Recall that currently Impala performs authorization with Ranger to check 
> whether the requesting user is granted the privilege of {{SELECT}} for the 
> underlying tables when a view is created and thus does not check whether the 
> requesting user is granted the {{SELECT}} privilege on the underlying tables 
> when the view is selected.
> On the other hand, currently a Spark user is not allowed to directly create a 
> view in HMS without involving the Impala frontend, because Spark clients are 
> normal users (v.s. superusers). To relax this restriction, it would be good 
> to allow a Spark user to directly create a view in HMS without involving the 
> Impala frontend. However, it can be seen that the authorization check is 
> skipped for views created in this manner since HMS currently does not possess 
> the capability to perform the authorization. Due to this relaxation, for a 
> view created this way, the authorization of the view needs to be carried out 
> at the selection time to make sure the requesting user is indeed granted the 
> {{SELECT}} privileges on the underlying tables defined in the view.
> There is also a corresponding Hive JIRA at HIVE-24026. Refer there for 
> further details.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to