[jira] [Updated] (IMPALA-15047) Use RangerBasePlugin#isServiceAdmin() instead of RangerUtil#validateRangerAdmin() when authorizing the SHOW ROLES and SHOW ROLE GRANT statements

Fang-Yu Rao (Jira) Thu, 28 May 2026 14:29:06 -0700


     [ 
https://issues.apache.org/jira/browse/IMPALA-15047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Fang-Yu Rao updated IMPALA-15047:
---------------------------------
    Description: 
Currently for {{SHOW ROLES}} and {{SHOW ROLE GRANT GROUP/USER}} statements, 
Impala calls 
[RangerUtil#validateRangerAdmin()|https://github.com/apache/impala/blob/ac1e178/fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java#L112-L124]
 to check whether the requesting user has the necessary permission. Under the 
covers, we make a REST call to the Ranger server.
{code:java}
    plugin.getAllRoles(user, null);
{code}
 

We could probably replace the above call with 
[RangerBasePlugin#isServiceAdmin()|https://github.com/apache/ranger/blob/c5b55a4/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L968-L980]
 to check requesting user's permission, since this is what Apache Hive also 
does in 
[RangerHiveAuthorizer#getAllRoles()|https://github.com/apache/ranger/blob/c5b55a4/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L1189]
 when Ranger is the authorization provider.
{code:java}
            if (!hivePlugin.isServiceAdmin(currentUserName)) {
                throw new 
HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User not 
authorized to run show roles...");
            }
{code}



  was:
Currently for {{SHOW ROLES}} and {{SHOW ROLE GRANT GROUP/USER}} statements, 
Impala calls 
[RangerUtil#validateRangerAdmin()|https://github.com/apache/impala/blob/ac1e178/fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java#L112-L124]
 to check whether the requesting user has the necessary permission. Under the 
covers, we make a REST call to the Ranger server.
{code:java}
    plugin.getAllRoles(user, null);
{code}
 

We could probably replace the above call with 
[RangerBasePlugin#isServiceAdmin()|https://github.com/apache/ranger/blob/c5b55a4/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L968-L980]
 to check requesting user's permission, since this is what Apache Hive also 
does in 
[RangerHiveAuthorizer#getAllRoles()|https://github.com/apache/ranger/blob/c5b55a4/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L1189]
 when Ranger is the authorization provider.
{code:java}
            if (!hivePlugin.isServiceAdmin(currentUserName)) {
                throw new 
HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User not 
authorized to run show roles...");
            }
{code}


> Use RangerBasePlugin#isServiceAdmin() instead of 
> RangerUtil#validateRangerAdmin() when authorizing the SHOW ROLES and SHOW 
> ROLE GRANT statements
> ------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-15047
>                 URL: https://issues.apache.org/jira/browse/IMPALA-15047
>             Project: IMPALA
>          Issue Type: Task
>            Reporter: Fang-Yu Rao
>            Priority: Major
>         Attachments: ranger_add_config_screenshot.png
>
>
> Currently for {{SHOW ROLES}} and {{SHOW ROLE GRANT GROUP/USER}} statements, 
> Impala calls 
> [RangerUtil#validateRangerAdmin()|https://github.com/apache/impala/blob/ac1e178/fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java#L112-L124]
>  to check whether the requesting user has the necessary permission. Under the 
> covers, we make a REST call to the Ranger server.
> {code:java}
>     plugin.getAllRoles(user, null);
> {code}
>  
> We could probably replace the above call with 
> [RangerBasePlugin#isServiceAdmin()|https://github.com/apache/ranger/blob/c5b55a4/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L968-L980]
>  to check requesting user's permission, since this is what Apache Hive also 
> does in 
> [RangerHiveAuthorizer#getAllRoles()|https://github.com/apache/ranger/blob/c5b55a4/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L1189]
>  when Ranger is the authorization provider.
> {code:java}
>             if (!hivePlugin.isServiceAdmin(currentUserName)) {
>                 throw new 
> HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User not 
> authorized to run show roles...");
>             }
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (IMPALA-15047) Use RangerBasePlugin#isServiceAdmin() instead of RangerUtil#validateRangerAdmin() when authorizing the SHOW ROLES and SHOW ROLE GRANT statements

Reply via email to