[jira] [Updated] (IMPALA-10484) Support using non-relative collection columns of a table containing row-filtering policies

Tue, 30 Mar 2021 16:58:04 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-10484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Quanlong Huang updated IMPALA-10484:
------------------------------------
    Summary: Support using non-relative collection columns of a table 
containing row-filtering policies  (was: Support using unrelated collection 
columns of a table containing row-filtering policies)

> Support using non-relative collection columns of a table containing 
> row-filtering policies
> ------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-10484
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10484
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Security
>    Affects Versions: Impala 4.0
>            Reporter: Quanlong Huang
>            Priority: Major
>
> This is a follow-up for IMPALA-9234. Row-filtering policies are applied as 
> the WHERE clause of the table masking view of the base table/view. E.g. if 
> table "tblA" contains a row-filtering policy "id=0", the original query 
> "{{select * from tblA join tblB on (id)}}" will be analyzed as
> {code:sql}
> select * from (
>   select col1, col2, ..., colN from tblA where id = 0
> ) v join tblB on (id)
> {code}
> Tables containing complex types are more complex in analyzing. Let's say 
> "tblA" contains two columns:
> ||id int||int_array array<int>||
> |0|[1,2,3]|
> |1|[4,5]|
> The following queries gets all items of the array column:
> {code:sql}
> -- Good for applying table masking view on tblA
> select a.item from tblA t, t.int_array a;
> -- Hard to apply table masking view on tblA
> select item from tblA.int_array;
> {code}
> The second query uses unrelated collection column directly. So we can't apply 
> the row-filtering policies on the base table. This will leak data, so 
> IMPALA-9234 forbids them.
> We can support this by rewritting the second query to the first one. Luckily, 
> we already have a rewritter containing this ability: {{AcidRewriter}} in 
> {{StmtRewriter}}. With some refactor it can be reused. However, there is a 
> bug (IMPALA-10482) needs to be fixed first.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to