[
https://issues.apache.org/jira/browse/IMPALA-10986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Manish Maheshwari updated IMPALA-10986:
---------------------------------------
Description:
We found that currently in Impala, to execute a UDF, a user only has to be
granted one of the 3 privileges in {{{}INSERT{}}}, {{{}SELECT{}}}, {{REFRESH}}
on the database (i.e., the {{VIEW_METADATA}} privilege on the database) where
the UDF was created. No additional privilege on the UDF is required. An example
of the policy added via Ranger's web UI allowing a user to execute a UDF is
also provided here.
!ranger_policy_for_udfs_impala.png!
The privilege request of {{VIEW_METADATA}} on the database is registered within
[analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA,
true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557].
This is the reason why the user has to be granted the VIEW_METADATA privilege
on the database to be able to execute the UDF.
Recall that the registration of the privilege mentioned above occurs in
[FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531]
where Impala's frontend analyzes the given function in a query.
I noticed in the same method above at
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535],
Impala is able to determine whether the current function is a UDF or not. Thus
it seems that to fix the problem, we need to additionally register the
corresponding privilege request for a UDF (v.s. a built-in function) other than
the {{VIEW_METADATA}} privilege on the database.
We should thus provide a fix for the issue.
was:
We found that currently in Impala, to execute a UDF, a user only has to be
granted one of the 3 privileges in {{INSERT}}, {{SELECT}}, {{REFRESH}} on the
database (i.e., the {{VIEW_METADATA}} privilege on the database) where the UDF
was created. No additional privilege on the UDF is required. An example of the
policy added via Ranger's web UI allowing a user to execute a UDF is also
provided here. !ranger_policy_for_udfs_impala.png!
The privilege request of {{VIEW_METADATA}} on the database is registered within
[analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA,
true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557].
This is the reason why the user has to be granted the VIEW_METADATA privilege
on the database to be able to execute the UDF.
Recall that the registration of the privilege mentioned above occurs in
[FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531]
where Impala's frontend analyzes the given function in a query.
I noticed in the same method above at
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535,
Impala is able to determine whether the current function is a UDF or not. Thus
it seems that to fix the problem, we need to additionally register the
corresponding privilege request for a UDF (v.s. a built-in function) other than
the {{VIEW_METADATA}} privilege on the database.
We should thus provide a fix for the issue.
> Specific privilege should be required to execute a UDF in Impala
> ----------------------------------------------------------------
>
> Key: IMPALA-10986
> URL: https://issues.apache.org/jira/browse/IMPALA-10986
> Project: IMPALA
> Issue Type: Bug
> Affects Versions: Impala 4.0.0
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
> Attachments: ranger_policy_for_udfs_impala.png
>
>
> We found that currently in Impala, to execute a UDF, a user only has to be
> granted one of the 3 privileges in {{{}INSERT{}}}, {{{}SELECT{}}},
> {{REFRESH}} on the database (i.e., the {{VIEW_METADATA}} privilege on the
> database) where the UDF was created. No additional privilege on the UDF is
> required. An example of the policy added via Ranger's web UI allowing a user
> to execute a UDF is also provided here.
> !ranger_policy_for_udfs_impala.png!
> The privilege request of {{VIEW_METADATA}} on the database is registered
> within [analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA,
> true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557].
> This is the reason why the user has to be granted the VIEW_METADATA
> privilege on the database to be able to execute the UDF.
> Recall that the registration of the privilege mentioned above occurs in
> [FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531]
> where Impala's frontend analyzes the given function in a query.
> I noticed in the same method above at
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535],
> Impala is able to determine whether the current function is a UDF or not.
> Thus it seems that to fix the problem, we need to additionally register the
> corresponding privilege request for a UDF (v.s. a built-in function) other
> than the {{VIEW_METADATA}} privilege on the database.
> We should thus provide a fix for the issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
