Fang-Yu Rao created IMPALA-15047:
------------------------------------
Summary: Use RangerBasePlugin#isServiceAdmin() instead of
RangerUtil#validateRangerAdmin() when authorizing the SHOW ROLES and SHOW ROLE
GRANT statements
Key: IMPALA-15047
URL: https://issues.apache.org/jira/browse/IMPALA-15047
Project: IMPALA
Issue Type: Task
Reporter: Fang-Yu Rao
Attachments: ranger_add_config_screenshot.png
Currently for {{SHOW ROLES}} and {{SHOW ROLE GRANT GROUP/USER}} statements,
Impala calls
[RangerUtil#validateRangerAdmin()|https://github.com/apache/impala/blob/ac1e178/fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java#L112-L124]
to check whether the requesting user has the necessary permission. Under the
covers, we make a REST call to the Ranger server.
{code:java}
plugin.getAllRoles(user, null);
{code}
We could probably replace the above call with
[RangerBasePlugin#isServiceAdmin()|https://github.com/apache/ranger/blob/c5b55a4/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L968-L980]
to check requesting user's permission, since this is what Apache Hive also
does in
[RangerHiveAuthorizer#getAllRoles()|https://github.com/apache/ranger/blob/c5b55a4/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L1189]
when Ranger is the authorization provider.
{code:java}
if (!hivePlugin.isServiceAdmin(currentUserName)) {
throw new
HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User not
authorized to run show roles...");
}
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
