[jira] [Commented] (IMPALA-14954) Support the WITH ADMIN OPTION clause for granting roles

Thu, 21 May 2026 17:12:12 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-14954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18082718#comment-18082718
 ] 

Fang-Yu Rao commented on IMPALA-14954:
--------------------------------------

I think to make the role management easier, we will have to make {{SHOW ROLE 
GRANT GROUP}} and {{SHOW ROLE GRANT USER}} at least display the column/field of 
'{{{}grant_option{}}}'.

But we don't have to display the column/field of '{{{}grant_option{}}}' for 
{{SHOW ROLES}} or {{{}SHOW CURRENT ROLES{}}}.

>From the above, I think we need to implement an additional method tackling 
>{{SHOW ROLE GRANT GROUP}} and {{{}SHOW ROLE GRANT USER{}}}.

> Support the WITH ADMIN OPTION clause for granting roles
> -------------------------------------------------------
>
>                 Key: IMPALA-14954
>                 URL: https://issues.apache.org/jira/browse/IMPALA-14954
>             Project: IMPALA
>          Issue Type: Task
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> Apache Hive supports the {{WITH ADMIN OPTION}} clause for the GRANT ROLE 
> statement as shown at 
> [https://hive.apache.org/docs/latest/language/sql-standard-based-hive-authorization/#:~:text=GRANT%20role_name%20%5B%2C%20role_name%5D%20...%0ATO%20principal_specification%20%5B%2C%20principal_specification%5D%20...%20%0A%5B%20WITH%20ADMIN%20OPTION%20%5D%3B.]
>  
> This allows users/groups assigned a role with "{{{}WITH ADMIN OPTION{}}}" to 
> grant/revoke the same role to/from other users/groups, and hence could 
> decentralize the role management. We should do this too in Apache Impala.
>  
> I briefly verified that to delegate the role management of a role to a 
> grantee, it suffices to add the following after 
> [https://github.com/apache/impala/blob/a44f72d/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java#L566]
>  when constructing the corresponding {{{}GrantRevokeRoleRequest{}}}.
> {code:java}
> request.setGrantOption(true);
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to