[
https://issues.apache.org/jira/browse/IMPALA-11743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17815473#comment-17815473
]
ASF subversion and git services commented on IMPALA-11743:
----------------------------------------------------------
Commit b3b8e21038f952b83287d321a6e68c4d5e8cfebd in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=b3b8e2103 ]
IMPALA-12578: Pass owner user of database and table to Ranger in GRANT/REVOKE
After RANGER-1200, Ranger allows the owner user of a resource to
grant/revoke a privilege to/from a grantee/revokee, which requires the
client of the Ranger server to provide the ownership information in the
requests for granting and revoking accesses.
Before this patch, Impala did not provide its Ranger plug-in with the
owner user of resource in the GRANT and REVOKE statements and thus the
owner user of a resource was not able to grant/revoke a privilege
to/from other principals. This patch passes to the Ranger server the
owner user of resource in the GRANT and REVOKE statements when the
resource is a database, a table, or a column. This way the owner user
does not have to be explicitly granted additional privileges on the
resource to execute the GRANT and REVOKE statements for the
aforementioned resource types.
For user-defined functions, we will deal with this resource type in
IMPALA-12685 in that it depends on IMPALA-11743 where we will have to
make Impala load from Hive MetaStore the owner user of a user-defined
function.
The patch also fixes a potential bug in getOwnerUser() of Db, LocalDb,
Table, and LocalTable. Specifically, before this patch, when
determining the owner user of a database or a table, Impala returned
the owner name without verifying the corresponding principal type is
indeed a user. This was problematic because the principal type could be
a group or a role. In addition, we note that Ranger assumes implicitly
that the provided owner is a user. This could be seen from the
definition of GrantRevokeRequest. Before Ranger adds an additional
field in GrantRevokeRequest to distinguish an owner user from an owner
group, Impala will not be able to support allowing a user in an owner
group to grant or revoke privileges on the resources owned by the owner
group.
Testing:
- Added an end-to-end test to verify that the owner user of a resource
is able to execute the GRANT/REVOKE statements without being granted
additional privileges if the resource is a database, a table, or a
column.
Change-Id: Ibac5335c65a860963ef0ccd890a926af80585ef3
Reviewed-on: http://gerrit.cloudera.org:8080/20916
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Reviewed-by: Fang-Yu Rao <fangyu....@cloudera.com>
> Support the OWNER privilege for UDFs in Impala
> ----------------------------------------------
>
> Key: IMPALA-11743
> URL: https://issues.apache.org/jira/browse/IMPALA-11743
> Project: IMPALA
> Issue Type: New Feature
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Currently in Impala a user allowed to create a UDF in a database still has to
> be explicitly granted the necessary privileges to execute the UDF later in a
> SELECT query. It would be more convenient if the ownership information of a
> UDF could also be retrieved during the query analysis of such SELECT queries
> so that the owner/creator of a UDF will be allowed to execute the UDF without
> being explicitly granted the necessary privileges on the UDF.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
