[ https://issues.apache.org/jira/browse/IMPALA-10712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17775048#comment-17775048 ]
Fang-Yu Rao commented on IMPALA-10712: -------------------------------------- It looks like I created a JIRA more than 2 years ago for the same issue. > SET OWNER ROLE <role_name> of a database/table/view is not supported when > Ranger is the authorization provider > -------------------------------------------------------------------------------------------------------------- > > Key: IMPALA-10712 > URL: https://issues.apache.org/jira/browse/IMPALA-10712 > Project: IMPALA > Issue Type: Improvement > Affects Versions: Impala 4.0.0 > Reporter: Fang-Yu Rao > Assignee: Fang-Yu Rao > Priority: Major > > We found that {{SET OWNER ROLE}} of a database, table, or a view is not > supported when Ranger is the authorization provider. > In the case of set the owner of a database to a given role, when Ranger is > the authorization provider, we found that after executing {{ALTER DATABASE > <database_name> SET OWNER ROLE <role_name>}}, we will hit the non-null check > for the given role at > [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59] > due to the fact that the {{AuthorizationPolicy}} returned from > {{getAuthPolicy()}} does not cache any policy-related information if the > authorization provider is Ranger, which is different than the case when > Sentry was the authorization provider. > When Ranger is the authorization provider, the currently existing roles are > cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we > could probably invoke {{getRoles().getRangerRoles()}} provided by the > {{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what > is done at > [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135]. > Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing > Joe's comment at > [https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68]. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org