[
https://issues.apache.org/jira/browse/IMPALA-10122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-10122:
---------------------------------
Description:
Recall that currently Impala performs authorization with Ranger to check
whether the requesting user is granted the privilege of {{SELECT}} for the
underlying tables when a view is created and thus does not check whether the
requesting user is granted the {{SELECT}} privilege on the underlying tables
when the view is selected.
On the other hand, currently a Spark user is not allowed to directly create a
view in HMS without involving the Impala frontend, because Spark clients are
normal users (v.s. superusers). To relax this restriction, it would be good to
allow a Spark user to directly create a view in HMS without involving the
Impala frontend. However, it can be seen that the authorization check is
skipped for views created in this manner since HMS currently does not possess
the capability to perform the authorization. Due to this relaxation, for a view
created this way, the authorization of the view needs to be carried out at the
selection time to make sure the requesting user is indeed granted the
{{SELECT}} privileges on the underlying tables defined in the view.
There is also a corresponding Hive JIRA at HIVE-24026. Refer there for further
details.
was:
Recall that currently Impala performs authorization with Ranger to check
whether the requesting user is granted the privilege of {{SELECT}} for the
underlying tables when a view is created and thus does not check whether the
requesting user is granted the {{SELECT}} privilege on the underlying tables
when the view is selected.
On the other hand, currently a Spark user is not allowed to directly create a
view in HMS without involving the Impala frontend, because Spark clients are
normal users (v.s. superusers). To relax this restriction, it would be good to
allow a Spark user to directly create a view in HMS without involving the
Impala frontend. However, it can be seen that the authorization check is
skipped for views created in this manner since HMS currently does not possess
the capability to perform the authorization. Due to this relaxation, for a view
created this way, the authorization of the view needs to be carried out at the
selection time to make sure the requesting user is indeed granted the
{{SELECT}} privileges on the underlying tables defined in the view.
There is also corresponding Hive JIRA at HIVE-24026. Refer there for further
details.
> Allow view authorization to be deferred until selection time
> ------------------------------------------------------------
>
> Key: IMPALA-10122
> URL: https://issues.apache.org/jira/browse/IMPALA-10122
> Project: IMPALA
> Issue Type: New Feature
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Recall that currently Impala performs authorization with Ranger to check
> whether the requesting user is granted the privilege of {{SELECT}} for the
> underlying tables when a view is created and thus does not check whether the
> requesting user is granted the {{SELECT}} privilege on the underlying tables
> when the view is selected.
> On the other hand, currently a Spark user is not allowed to directly create a
> view in HMS without involving the Impala frontend, because Spark clients are
> normal users (v.s. superusers). To relax this restriction, it would be good
> to allow a Spark user to directly create a view in HMS without involving the
> Impala frontend. However, it can be seen that the authorization check is
> skipped for views created in this manner since HMS currently does not possess
> the capability to perform the authorization. Due to this relaxation, for a
> view created this way, the authorization of the view needs to be carried out
> at the selection time to make sure the requesting user is indeed granted the
> {{SELECT}} privileges on the underlying tables defined in the view.
> There is also a corresponding Hive JIRA at HIVE-24026. Refer there for
> further details.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
