view is not supported when Ranger is the authorization provider

Fang-Yu Rao (Jira) Fri, 13 Oct 2023 13:04:05 -0700


    [ 
https://issues.apache.org/jira/browse/IMPALA-10712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17775048#comment-17775048
 ]


Fang-Yu Rao commented on IMPALA-10712:
--------------------------------------

It looks like I created a JIRA more than 2 years ago for the same issue.

> SET OWNER ROLE <role_name> of a database/table/view is not supported when 
> Ranger is the authorization provider
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-10712
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10712
>             Project: IMPALA
>          Issue Type: Improvement
>    Affects Versions: Impala 4.0.0
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> We found that {{SET OWNER ROLE}} of a database, table, or a view is not 
> supported when Ranger is the authorization provider.
> In the case of set the owner of a database to a given role, when Ranger is 
> the authorization provider, we found that after executing {{ALTER DATABASE 
> <database_name> SET OWNER ROLE <role_name>}}, we will hit the non-null check 
> for the given role at 
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59]
>  due to the fact that the {{AuthorizationPolicy}} returned from 
> {{getAuthPolicy()}} does not cache any policy-related information if the 
> authorization provider is Ranger, which is different than the case when 
> Sentry was the authorization provider.
> When Ranger is the authorization provider, the currently existing roles are 
> cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we 
> could probably invoke {{getRoles().getRangerRoles()}} provided by the 
> {{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what 
> is done at 
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135].
> Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing 
> Joe's comment at 
> [https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

[jira] [Commented] (IMPALA-10712) SET OWNER ROLE of a database/table/view is not supported when Ranger is the authorization provider

Reply via email to