[
https://issues.apache.org/jira/browse/IMPALA-13722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17923389#comment-17923389
]
ASF subversion and git services commented on IMPALA-13722:
----------------------------------------------------------
Commit 59616d7bd1b1f4fe3e2174343453b8554e75033e in impala's branch
refs/heads/master from stiga-huang
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=59616d7bd ]
IMPALA-13722: Ranger request should have no null values in the resources map
Each Ranger privilege grant/revoke request has a resources map to
describe the target resource, e.g. db, table, url, etc. The keys of the
resources map are predefined strings like "database", "table", "column",
"url", etc. The values are the actual resource name or "*" as a wildcard
for all such kinds of resources.
Our FE tests unintentionally set null values on "url" when the resources
map doesn't have such a key. See AuthorizationTestBase#updateUri().
Using null as the value is an undefined behavior and it causes
NullPointerException in newer versions of Ranger when granting/revoking
privileges (might due to RANGER-4638 that adds a code to split the
string value).
This patch fixes AuthorizationTestBase#updateUri() to only update the
URL when it's not null and starts with "/".
Tests:
- Verified the fix in a downstream build with a newer Ranger version
that hits the issue.
Change-Id: Ibed929bcd25ffdf54fa5f0fc848a0cc13c1fb0a2
Reviewed-on: http://gerrit.cloudera.org:8080/22435
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Ranger request should have no null values in the resources map
> --------------------------------------------------------------
>
> Key: IMPALA-13722
> URL: https://issues.apache.org/jira/browse/IMPALA-13722
> Project: IMPALA
> Issue Type: Bug
> Components: Test
> Reporter: Quanlong Huang
> Assignee: Quanlong Huang
> Priority: Critical
>
> In a downstream build with newer versions of Ranger, we saw tests in
> AuthorizationStmtTest failed to grant and revoke privileges. The cause is
> there is an illegal key-value pair of url=null in the resources map:
> {code:java}
> 2025-01-22 17:37:59,430 ERROR org.apache.ranger.rest.ServiceREST:
> [http-nio-6080-exec-5]: grantAccess(test_impala,
> GrantRevokeRequest={grantor={admin} grantorGroups={admin }
> resource={database=*; column=*; table=*; url=null; } users={non_owner }
> groups={} roles={} accessTypes={create } delegateAdmin={false}
> enableAudit={true} replaceExistingPermissions={false} isRecursive={false}
> clientIPAddress={127.0.0.1} clientType={null} requestData={null}
> sessionId={null} clusterName={test-cluster} zoneName={null} }) failed
> java.lang.NullPointerException: null
> at
> org.apache.ranger.rest.ServiceRESTUtil.getAccessResourceObjectMap(ServiceRESTUtil.java:443)
> ~[classes/:?]
> at
> org.apache.ranger.rest.ServiceREST.grantAccess(ServiceREST.java:1272)
> ~[classes/:?]
> at
> org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke(<generated>)
> ~[classes/:?]
> at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
> ~[spring-core-5.3.39.jar:5.3.39]
> ...{code}
> The resource map in the above case is resource=\{database=\*; column=\*;
> table=\*; url=null; \}. It shouldn't have url=null in the map. This is added
> unintentionally in our FE test code:
> {code:java}
> private static Map<String, String> updateUri(Map<String, String> resources)
> {
> String uri = resources.get(RangerImpalaResourceBuilder.URL);
> if (uri != null && uri.startsWith("/")) {
> uri = "hdfs://localhost:20500" + uri;
> }
> resources.put(RangerImpalaResourceBuilder.URL, uri);
> return resources;
> } {code}
> [https://github.com/apache/impala/blob/8eb57a9921ed6d0ffccb98932d50506fede24fa9/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java#L231-L235]
> When the resources map doesn't contains a key for "url", we get a null uri
> and then set it in the resources map. What we want is just updating it when
> it exists.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
