[
https://issues.apache.org/jira/browse/IMPALA-10986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-10986:
---------------------------------
Description:
We found that currently in Impala, to execute a UDF, a user only has to be
granted one of the 3 privileges in {{INSERT}}, {{SELECT}}, {{REFRESH}} on the
database (i.e., the {{VIEW_METADATA}} privilege on the database) where the UDF
was created. No additional privilege on the UDF is required. An example of the
policy added via Ranger's web UI is also provided here.
!ranger_policy_for_udfs_impala.png!
The privilege request of {{VIEW_METADATA}} on the database is registered within
[analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA,
true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557].
This is the reason why the user has to be granted the VIEW_METADATA privilege
on the database to be able to execute the UDF.
Recall that the registration of the privilege mentioned above occurs in
[FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531]
where Impala's frontend analyzes the given function in a query.
I noticed in the same method above at
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535,
Impala is able to determine whether the current function is a UDF or not. Thus
it seems that to fix the problem, we need to additionally register the
corresponding privilege request for a UDF (v.s. a built-in function) other than
the {{VIEW_METADATA}} privilege on the database.
We should thus provide a fix for the issue.
was:
We found that currently in Impala, to execute a UDF, a user only has to be
granted one of the 3 privileges in {{INSERT}}, {{SELECT}}, {{REFRESH}} on the
database (i.e., the {{VIEW_METADATA}} privilege on the database) where the UDF
was created. No additional privilege on the UDF is required. An example of the
policy added via Ranger's web UI is also provided here.
The privilege request of {{VIEW_METADATA}} on the database is registered within
[analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA,
true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557].
This is the reason why the user has to be granted the VIEW_METADATA privilege
on the database to be able to execute the UDF.
Recall that the registration of the privilege mentioned above occurs in
[FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531]
where Impala's frontend analyzes the given function in a query.
I noticed in the same method above at
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535,
Impala is able to determine whether the current function is a UDF or not. Thus
it seems that to fix the problem, we need to additionally register the
corresponding privilege request for a UDF (v.s. a built-in function) other than
the {{VIEW_METADATA}} privilege on the database.
We should thus provide a fix for the issue.
> Specific privilege should be required to execute a UDF in Impala
> ----------------------------------------------------------------
>
> Key: IMPALA-10986
> URL: https://issues.apache.org/jira/browse/IMPALA-10986
> Project: IMPALA
> Issue Type: Bug
> Affects Versions: Impala 4.0.0
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
> Attachments: ranger_policy_for_udfs_impala.png
>
>
> We found that currently in Impala, to execute a UDF, a user only has to be
> granted one of the 3 privileges in {{INSERT}}, {{SELECT}}, {{REFRESH}} on the
> database (i.e., the {{VIEW_METADATA}} privilege on the database) where the
> UDF was created. No additional privilege on the UDF is required. An example
> of the policy added via Ranger's web UI is also provided here.
> !ranger_policy_for_udfs_impala.png!
> The privilege request of {{VIEW_METADATA}} on the database is registered
> within [analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA,
> true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557].
> This is the reason why the user has to be granted the VIEW_METADATA
> privilege on the database to be able to execute the UDF.
> Recall that the registration of the privilege mentioned above occurs in
> [FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531]
> where Impala's frontend analyzes the given function in a query.
> I noticed in the same method above at
> https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535,
> Impala is able to determine whether the current function is a UDF or not.
> Thus it seems that to fix the problem, we need to additionally register the
> corresponding privilege request for a UDF (v.s. a built-in function) other
> than the {{VIEW_METADATA}} privilege on the database.
> We should thus provide a fix for the issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
