[
https://issues.apache.org/jira/browse/IMPALA-10122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17564021#comment-17564021
]
ASF subversion and git services commented on IMPALA-10122:
----------------------------------------------------------
Commit 607dc1f170fb8cc013d8ec33fccee59ac4352fe4 in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=607dc1f17 ]
IMPALA-10122 (Part 2): Allow accessing views created by non-superusers
This patch allows Impala users to access views created by non-superusers
in HiveMetaStore, i.e., views with the table property of 'Authorized'
set to false.
Recall that a user is considered as a non-superuser by HiveMetaStore if
the IP address of the user is not on the list specified by the Hadoop
configuration of 'hadoop.proxyuser.<username>.hosts', where <username>
denotes the short name corresponding to the Kerberos principal name of
the user. For a view created by a non-superuser, HiveMetaStore adds to
the view the table property of 'Authorized' and sets the value of this
property to false after HIVE-24026.
We prevented any Impala user from accessing such views in part 1 of this
JIRA. To enable an Impala user to access such views, this patch enforces
the privilege checks for the underlying tables of a view additionally if
the given view was created by a non-superuser in HiveMetaStore.
Testing:
- Added an E2E test to verify the necessary privileges on the
underlying tables are required in order to access a view created by
a non-superuser.
Change-Id: I50a50931c6eeb0feec28c30531b09269622e6aad
Reviewed-on: http://gerrit.cloudera.org:8080/18684
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Reviewed-by: Quanlong Huang <huangquanl...@gmail.com>
Tested-by: Quanlong Huang <huangquanl...@gmail.com>
> Allow view authorization to be deferred until selection time
> ------------------------------------------------------------
>
> Key: IMPALA-10122
> URL: https://issues.apache.org/jira/browse/IMPALA-10122
> Project: IMPALA
> Issue Type: New Feature
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Recall that currently Impala performs authorization with Ranger to check
> whether the requesting user is granted the privilege of {{SELECT}} for the
> underlying tables when a view is created and thus does not check whether the
> requesting user is granted the {{SELECT}} privilege on the underlying tables
> when the view is selected.
> On the other hand, currently a Spark user is not allowed to directly create a
> view in HMS without involving the Impala frontend, because Spark clients are
> normal users (v.s. superusers). To relax this restriction, it would be good
> to allow a Spark user to directly create a view in HMS without involving the
> Impala frontend. However, it can be seen that the authorization check is
> skipped for views created in this manner since HMS currently does not possess
> the capability to perform the authorization. Due to this relaxation, for a
> view created this way, the authorization of the view needs to be carried out
> at the selection time to make sure the requesting user is indeed granted the
> {{SELECT}} privileges on the underlying tables defined in the view.
> There is also a corresponding Hive JIRA at HIVE-24026. Refer to there for
> further details.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
