[jira] [Created] (IMPALA-10986) Specific privilege should be required to execute a UDF in Impala

Mon, 25 Oct 2021 13:27:04 -0700 

Fang-Yu Rao created IMPALA-10986:
------------------------------------

             Summary: Specific privilege should be required to execute a UDF in 
Impala
                 Key: IMPALA-10986
                 URL: https://issues.apache.org/jira/browse/IMPALA-10986
             Project: IMPALA
          Issue Type: Bug
    Affects Versions: Impala 4.0.0
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


We found that currently in Impala, to execute a UDF, a user only has to be 
granted one of the 3 privileges in {{INSERT}}, {{SELECT}}, {{REFRESH}} on the 
database (i.e., the {{VIEW_METADATA}} privilege on the database) where the UDF 
was created. No additional privilege on the UDF is required. An example of the 
policy added via Ranger's web UI is also provided here.

The privilege request of {{VIEW_METADATA}} on the database is registered within 
[analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA, 
true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557].
 This is the reason why the user has to be granted the VIEW_METADATA privilege 
on the database to be able to execute the UDF.

Recall that the registration of the privilege mentioned above occurs in 
[FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531]
 where Impala's frontend analyzes the given function in a query.

I noticed in the same method above at 
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535,
 Impala is able to determine whether the current function is a UDF or not. Thus 
it seems that to fix the problem, we need to additionally register the 
corresponding privilege request for a UDF (v.s. a built-in function) other than 
the {{VIEW_METADATA}} privilege on the database.

We should thus provide a fix for the issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to