[
https://issues.apache.org/jira/browse/IMPALA-10728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Quanlong Huang resolved IMPALA-10728.
-------------------------------------
Fix Version/s: Impala 4.0
Resolution: Fixed
> Impala should check access privileges inside masking expressions
> ----------------------------------------------------------------
>
> Key: IMPALA-10728
> URL: https://issues.apache.org/jira/browse/IMPALA-10728
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend, Security
> Affects Versions: Impala 4.0
> Reporter: Quanlong Huang
> Assignee: Quanlong Huang
> Priority: Critical
> Fix For: Impala 4.0
>
>
> Row-filtering/column-masking policies may have subqueries which involve some
> other tables. These tables can have associate policies as well. Currently,
> Impala won't check any policies on these tables, including access policies
> and masking policies (row-filtering/column-masking). The rational is these
> expressions are evaluated in admin's point of view. Another reason is to
> avoid recursive masking, and sometimes infinite recursive masking. E.g. a
> row-filter subquery can have tables that also have such kind of row-filters.
> Although Hive also skipps applying masking policies recursively inside
> masking/filtering expressions, Hive still check access policies inside them.
> To avoid breaking users that depend on this, we'd better be compatible with
> Hive's behavior first.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
