[ https://issues.apache.org/jira/browse/IMPALA-11743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17815473#comment-17815473 ]
ASF subversion and git services commented on IMPALA-11743: ---------------------------------------------------------- Commit b3b8e21038f952b83287d321a6e68c4d5e8cfebd in impala's branch refs/heads/master from Fang-Yu Rao [ https://gitbox.apache.org/repos/asf?p=impala.git;h=b3b8e2103 ] IMPALA-12578: Pass owner user of database and table to Ranger in GRANT/REVOKE After RANGER-1200, Ranger allows the owner user of a resource to grant/revoke a privilege to/from a grantee/revokee, which requires the client of the Ranger server to provide the ownership information in the requests for granting and revoking accesses. Before this patch, Impala did not provide its Ranger plug-in with the owner user of resource in the GRANT and REVOKE statements and thus the owner user of a resource was not able to grant/revoke a privilege to/from other principals. This patch passes to the Ranger server the owner user of resource in the GRANT and REVOKE statements when the resource is a database, a table, or a column. This way the owner user does not have to be explicitly granted additional privileges on the resource to execute the GRANT and REVOKE statements for the aforementioned resource types. For user-defined functions, we will deal with this resource type in IMPALA-12685 in that it depends on IMPALA-11743 where we will have to make Impala load from Hive MetaStore the owner user of a user-defined function. The patch also fixes a potential bug in getOwnerUser() of Db, LocalDb, Table, and LocalTable. Specifically, before this patch, when determining the owner user of a database or a table, Impala returned the owner name without verifying the corresponding principal type is indeed a user. This was problematic because the principal type could be a group or a role. In addition, we note that Ranger assumes implicitly that the provided owner is a user. This could be seen from the definition of GrantRevokeRequest. Before Ranger adds an additional field in GrantRevokeRequest to distinguish an owner user from an owner group, Impala will not be able to support allowing a user in an owner group to grant or revoke privileges on the resources owned by the owner group. Testing: - Added an end-to-end test to verify that the owner user of a resource is able to execute the GRANT/REVOKE statements without being granted additional privileges if the resource is a database, a table, or a column. Change-Id: Ibac5335c65a860963ef0ccd890a926af80585ef3 Reviewed-on: http://gerrit.cloudera.org:8080/20916 Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Reviewed-by: Fang-Yu Rao <fangyu....@cloudera.com> > Support the OWNER privilege for UDFs in Impala > ---------------------------------------------- > > Key: IMPALA-11743 > URL: https://issues.apache.org/jira/browse/IMPALA-11743 > Project: IMPALA > Issue Type: New Feature > Components: Frontend > Reporter: Fang-Yu Rao > Assignee: Fang-Yu Rao > Priority: Major > > Currently in Impala a user allowed to create a UDF in a database still has to > be explicitly granted the necessary privileges to execute the UDF later in a > SELECT query. It would be more convenient if the ownership information of a > UDF could also be retrieved during the query analysis of such SELECT queries > so that the owner/creator of a UDF will be allowed to execute the UDF without > being explicitly granted the necessary privileges on the UDF. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org