Fang-Yu Rao created IMPALA-10712:
------------------------------------
Summary: ALTER DATABASE <database_name> SET OWNER ROLE <role_name>
is not supported when Ranger is the authorization provider
Key: IMPALA-10712
URL: https://issues.apache.org/jira/browse/IMPALA-10712
Project: IMPALA
Issue Type: Improvement
Affects Versions: Impala 4.0
Reporter: Fang-Yu Rao
Assignee: Fang-Yu Rao
We found that {{ALTER DATABASE <database_name> SET OWNER ROLE <role_name>}} is
not supported when Ranger is the authorization provider. Specifically, we will
hit the non-null check for the given role at
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59]
due to the fact that the {{AuthorizationPolicy}} returned from
{{getAuthPolicy()}} does not cache any policy-related information if the
authorization provider is Ranger, which is different than the case when Sentry
was the authorization provider.
When Ranger is the authorization provider, the currently existing roles are
cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we
could probably invoke {{getRoles().getRangerRoles()}} provided by the
{{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what
is done at
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135].
Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing
Joe's comment at
[https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68].
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
