[
https://issues.apache.org/jira/browse/IMPALA-10483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306656#comment-17306656
]
ASF subversion and git services commented on IMPALA-10483:
----------------------------------------------------------
Commit a0f77680c53d4bd4b85aa2d80224dbd76dd15126 in impala's branch
refs/heads/master from stiga-huang
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=a0f7768 ]
IMPALA-10483: Support subqueries in Ranger masking policies
This patch adds support for using subqueries in Ranger masking policies,
i.e. column-masking/row-filtering policies. The subquery can reference
either the current table or other tables. However, masking policies on
these tables won't be applied recursively. This is consistent with Hive.
One motivation is to avoid infinitely masking if it references the same
table. Another motivation I think is to simplify the masking behavior,
so when the admin is setting a masking expression, it can be considered
as running in the admin's perspective (i.e. no masking).
Implementation
Before analyzing the query, the coordinator loads the metadata of all
possibly used tables into the query's StmtTableCache. Table masking
takes place after the analyzing phase. If the subquery filter introduces
any new tables, the analyzer will fail to resolve them since their
metadata is not loaded in the StmtTableCache. This patch modified the
StmtMetadataLoader to also load those tables introduced by masking
policies. So they can be resolved correctly.
Tests
- Add more complex tests in test_row_filtering
Change-Id: I254df9f684c95c660f402abd99ca12dded7e764f
Reviewed-on: http://gerrit.cloudera.org:8080/17185
Reviewed-by: Aman Sinha <[email protected]>
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Support column-masking/row-filtering policy expressions that contain
> subqueries
> -------------------------------------------------------------------------------
>
> Key: IMPALA-10483
> URL: https://issues.apache.org/jira/browse/IMPALA-10483
> Project: IMPALA
> Issue Type: New Feature
> Components: Security
> Reporter: Quanlong Huang
> Assignee: Quanlong Huang
> Priority: Critical
>
> Row-filtering policies are applied as the WHERE clause of the table masking
> view of the base table/view. E.g. if table "tblA" contains a row-filtering
> policy "id=0", the original query "{{select * from tblA join tblB on (id)}}"
> will be analyzed as
> {code:sql}
> select * from (
> select col1, col2, ..., colN from tblA where id = 0
> ) v join tblB on (id)
> {code}
> The row-filtering policy expression can also use subqueries, e.g. "{{id =
> (select min(id) from tblC)}}". However, if the WHERE clause introduces
> subqueries, it will introduce new tables whose metadata is not loaded in
> Analyzer's StmtTableCache. So the Analyzer will fail to resolve them and
> raise AuthorizationExceptions complaining user doesn't have privilege to
> SELECT those tables.
> One solution is collecting tables introduced by subqueries of
> Column-masking/Row-filtering expressions and also load them in
> {{StmtMetadataLoader#loadTables()}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
