Fang-Yu Rao created IMPALA-10881:
------------------------------------
Summary: Consider removing permission checks in LoadDataStmt
Key: IMPALA-10881
URL: https://issues.apache.org/jira/browse/IMPALA-10881
Project: IMPALA
Issue Type: Improvement
Reporter: Fang-Yu Rao
Assignee: Fang-Yu Rao
We found that Impala's frontend performs permission checks to make sure Impala
has the necessary permissions on the related paths in the underlying file
system, e.g., HDFS, during the analysis of {{LoadDataStmt}}, e.g.,
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/LoadDataStmt.java#L185-L190].
This implies that Impala has to be granted those permissions on the related
paths in order for the query to be sent to Impala's backend for execution.
Otherwise, Impala's frontend would throw an {{AnalysisException}}.
Such a behavior seems a bit too restrictive and inconvenient from an
administrator's perspective because in a Ranger-enabled cluster, to allow
Impala to execute {{LoadDataStmt}}, the administrator should also be able to
grant those permissions to Impala (or the user representing the Impala service)
by adding the corresponding policies under the policy repository of the service
of the underlying file system instead of having to grant those permissions to
the Impala service in the underlying file system without involving Ranger.
We should thus consider the possibility of removing those permission checks
after verifying that the underlying file system with authorization enabled will
still perform the permission checks after the checks have been removed from
Impala.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
