[
https://issues.apache.org/jira/browse/IMPALA-12398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17795199#comment-17795199
]
ASF subversion and git services commented on IMPALA-12398:
----------------------------------------------------------
Commit d9c067aa89313547c1d8dbf3840ebe308726f8c3 in impala's branch
refs/heads/master from jichen0919
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=d9c067aa8 ]
IMPALA-12398: Fix Ranger role not exists when altering db/table/view owner to a
role
When Role '<ROLE_NAME>' is created with Ranger authorization enabled,
if 'ALTER TABLE <TABLE_NAME> SET OWNER ROLE <ROLE_NAME>' statement is
executed to assign role as the owner of the table, it will throw
AnalysisException:Role '<ROLE_NAME>' does not exist.
Before this patch, given the ALTER DATABASE/TABLE/VIEW SET OWNER ROLE
statement, Impala always checked the existence of the given role in
its AuthorizationPolicy. However, when the support for role-related
statements with Ranger was added in IMPALA-10211, we only added the
roles in RangerImpalaPlugin instead of AuthorizationPolicy.
Therefore, the statement above would fail even though an authorized
user tries to set the owner to an existing role in RangerImpalaPlugin.
This patch will directly use ranger impala plugin to check the
existence of the role, instead of using AuthorizationPolicy object.
Tests:
- Pass unit tests. test method testAlterView in AuthorizationStmtTest
is updated accordingly.
- Pass e2e tests. test method _test_ownership in test_ranger.py is
updated to cover the new implementation.
- Pass core tests with ranger enabled.
Change-Id: I2b029bdb90111dbd0eab5189360cc81090225cda
Reviewed-on: http://gerrit.cloudera.org:8080/20508
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Ranger role not exists when altering db/table/view owner to a role
> ------------------------------------------------------------------
>
> Key: IMPALA-12398
> URL: https://issues.apache.org/jira/browse/IMPALA-12398
> Project: IMPALA
> Issue Type: Bug
> Components: Security
> Reporter: Quanlong Huang
> Assignee: ji.chen
> Priority: Critical
> Labels: ramp-up
>
> To reproduce the issue, start Impala cluster with Ranger authorization
> enabled:
> {code:bash}
> bin/start-impala-cluster.py --impalad_args="--server-name=server1
> --ranger_service_type=hive --ranger_app_id=impala
> --authorization_provider=ranger" --catalogd_args="--server-name=server1
> --ranger_service_type=hive --ranger_app_id=impala
> --authorization_provider=ranger"
> {code}
> Create a role "hql_test" and a temp table "tmp_tbl", then set the owner of it
> to the role:
> {code:sql}
> $ impala-shell.sh -u admin
> default> create table tmp_tbl(id int);
> default> create role hql_test;
> default> alter table tmp_tbl set owner role hql_test;
> Query: alter table tmp_tbl set owner role hql_test
> ERROR: AnalysisException: Role 'hql_test' does not exist.
> {code}
> However, SHOW ROLES can show the role:
> {code:sql}
> default> show roles;
> Query: show roles
> +-----------+
> | role_name |
> +-----------+
> | hql_test |
> +-----------+
> Fetched 1 row(s) in 0.01s
> {code}
> Ranger roles are not loaded in Impala's catalog cache. We should either load
> them or use RangerPlugin to check existence of a role. Code snipper of the
> role check:
> {code:java}
> if (analyzer.isAuthzEnabled() && owner_.getOwnerType() == TOwnerType.ROLE
> && analyzer.getCatalog().getAuthPolicy().getRole(ownerName) == null) {
> throw new AnalysisException(String.format("Role '%s' does not exist.",
> ownerName));
> }
> {code}
> https://github.com/apache/impala/blob/08501cef2df16991bbd99656c696b978f08aeebe/fe/src/main/java/org/apache/impala/analysis/AlterTableOrViewSetOwnerStmt.java#L56
> CC [~fangyurao]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
