Quanlong Huang created IMPALA-10484:
---------------------------------------
Summary: Support using unrelated collection columns of a table
containing row-filtering policies
Key: IMPALA-10484
URL: https://issues.apache.org/jira/browse/IMPALA-10484
Project: IMPALA
Issue Type: New Feature
Components: Security
Affects Versions: Impala 4.0
Reporter: Quanlong Huang
This is a follow-up for IMPALA-9234. Row-filtering policies are applied as the
WHERE clause of the table masking view of the base table/view. E.g. if table
"tblA" contains a row-filtering policy "id=0", the original query "{{select *
from tblA join tblB on (id)}}" will be analyzed as
{code:sql}
select * from (
select col1, col2, ..., colN from tblA where id = 0
) v join tblB on (id)
{code}
Tables containing complex types are more complex in analyzing. Let's say "tblA"
contains two columns:
||id int||int_array array<int>||
|0|[1,2,3]|
|1|[4,5]|
The following queries gets all items of the array column:
{code:sql}
-- Good for applying table masking view on tblA
select a.item from tblA t, t.int_array a;
-- Hard to apply table masking view on tblA
select item from tblA.int_array;
{code}
The second query uses unrelated collection column directly. So we can't apply
the row-filtering policies on the base table. This will leak data, so
IMPALA-9234 forbids them.
We can support this by rewritting the second query to the first one. Luckily,
we already have a rewritter containing this ability: {{AcidRewriter}} in
{{StmtRewriter}}. With some refactor it can be reused. However, there is a bug
(IMPALA-10482) needs to be fixed first.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
