Quanlong Huang created IMPALA-10728:
---------------------------------------
Summary: Impala should check access privileges inside masking
expressions
Key: IMPALA-10728
URL: https://issues.apache.org/jira/browse/IMPALA-10728
Project: IMPALA
Issue Type: Bug
Components: Frontend, Security
Affects Versions: Impala 4.0
Reporter: Quanlong Huang
Assignee: Quanlong Huang
Row-filtering/column-masking policies may have subqueries which involve some
other tables. These tables can have associate policies as well. Currently,
Impala won't check any policies on these tables, including access policies and
masking policies (row-filtering/column-masking). The rational is these
expressions are evaluated in admin's point of view. Another reason is to avoid
recursive masking, and sometimes infinite recursive masking. E.g. a row-filter
subquery can have tables that also have such kind of row-filters.
Although Hive also skipps applying masking policies recursively inside
masking/filtering expressions, Hive still check access policies inside them. To
avoid breaking users that depend on this, we'd better be compatible with Hive's
behavior first.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
