[
https://issues.apache.org/jira/browse/IMPALA-10712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-10712:
---------------------------------
Description:
We found that {{SET OWNER ROLE}} of a database, table, or a view is not
supported when Ranger is the authorization provider.
In the case of set the owner of a database to a given role, when Ranger is the
authorization provider, we found that after executing {{ALTER DATABASE
<database_name> SET OWNER ROLE <role_name>}}, we will hit the non-null check
for the given role at
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59]
due to the fact that the {{AuthorizationPolicy}} returned from
{{getAuthPolicy()}} does not cache any policy-related information if the
authorization provider is Ranger, which is different than the case when Sentry
was the authorization provider.
When Ranger is the authorization provider, the currently existing roles are
cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we
could probably invoke {{getRoles().getRangerRoles()}} provided by the
{{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what
is done at
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135].
Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing
Joe's comment at
[https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68].
was:
We found that {{ALTER DATABASE <database_name> SET OWNER ROLE <role_name>}} is
not supported when Ranger is the authorization provider. Specifically, we will
hit the non-null check for the given role at
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59]
due to the fact that the {{AuthorizationPolicy}} returned from
{{getAuthPolicy()}} does not cache any policy-related information if the
authorization provider is Ranger, which is different than the case when Sentry
was the authorization provider.
When Ranger is the authorization provider, the currently existing roles are
cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we
could probably invoke {{getRoles().getRangerRoles()}} provided by the
{{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what
is done at
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135].
Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing
Joe's comment at
[https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68].
> SET OWNER ROLE <role_name> of a database/table/view is not supported when
> Ranger is the authorization provider
> --------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-10712
> URL: https://issues.apache.org/jira/browse/IMPALA-10712
> Project: IMPALA
> Issue Type: Improvement
> Affects Versions: Impala 4.0
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> We found that {{SET OWNER ROLE}} of a database, table, or a view is not
> supported when Ranger is the authorization provider.
> In the case of set the owner of a database to a given role, when Ranger is
> the authorization provider, we found that after executing {{ALTER DATABASE
> <database_name> SET OWNER ROLE <role_name>}}, we will hit the non-null check
> for the given role at
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59]
> due to the fact that the {{AuthorizationPolicy}} returned from
> {{getAuthPolicy()}} does not cache any policy-related information if the
> authorization provider is Ranger, which is different than the case when
> Sentry was the authorization provider.
> When Ranger is the authorization provider, the currently existing roles are
> cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we
> could probably invoke {{getRoles().getRangerRoles()}} provided by the
> {{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what
> is done at
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135].
> Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing
> Joe's comment at
> [https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68].
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
