[
https://issues.apache.org/jira/browse/IMPALA-12190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17848508#comment-17848508
]
Quanlong Huang commented on IMPALA-12190:
-----------------------------------------
Column masking and row filtering policies will also be messed up by RENAME. I
think tag based policy will also be messed up if data lineages are not updated
accordingly.
+1 for a new Ranger API that returns all policies matching a given table (and
optionally for a given user). We also need this to improve IMPALA-11501 to
avoid loading the table schema from HMS. Currently, to check whether a user has
a corresponding column masking policy on a table, we have to load the table to
get all the column names and check whether there are policies on each column,
which is inefficient.
> Renaming table will cause losing privileges for non-admin users
> ---------------------------------------------------------------
>
> Key: IMPALA-12190
> URL: https://issues.apache.org/jira/browse/IMPALA-12190
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog
> Reporter: Gabor Kaszab
> Assignee: Sai Hemanth Gantasala
> Priority: Critical
> Labels: alter-table, authorization, ranger
>
> Let's say user 'a' gets some privileges on table 't'. When this table gets
> renamed (even by user 'a') then user 'a' loses its privileges on that table.
>
> Repro steps:
> # Start impala with Ranger
> # start impala-shell as admin (-u admin)
> # create table tmp (i int, s string) stored as parquet;
> # grant all on table tmp to user <username>;
> # grant all on table tmp to user <username>;
> {code:java}
> Query: show grant user <username> on table tmp
> +----------------+----------------+----------+-------+--------+-----+--------------+-------------+-----+-----------+--------------+-------------+
> | principal_type | principal_name | database | table | column | uri |
> storage_type | storage_uri | udf | privilege | grant_option | create_time |
> +----------------+----------------+----------+-------+--------+-----+--------------+-------------+-----+-----------+--------------+-------------+
> | USER | <username> | default | tmp | * | |
> | | | all | false | NULL |
> +----------------+----------------+----------+-------+--------+-----+--------------+-------------+-----+-----------+--------------+-------------+
> Fetched 1 row(s) in 0.01s {code}
> # alter table tmp rename to tmp_1234;
> # show grant user <username> on table tmp_1234;
> {code:java}
> Query: show grant user <username> on table tmp_1234
> Fetched 0 row(s) in 0.17s{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
