[jira] [Updated] (IMPALA-15047) Use RangerBasePlugin#isServiceAdmin() instead of RangerUtil#validateRangerAdmin() when authorizing the SHOW ROLES and SHOW ROLE GRANT statements

Thu, 28 May 2026 14:42:12 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-15047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fang-Yu Rao updated IMPALA-15047:
---------------------------------
    Attachment:     (was: ranger_add_config_screenshot.png)

> Use RangerBasePlugin#isServiceAdmin() instead of 
> RangerUtil#validateRangerAdmin() when authorizing the SHOW ROLES and SHOW 
> ROLE GRANT statements
> ------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-15047
>                 URL: https://issues.apache.org/jira/browse/IMPALA-15047
>             Project: IMPALA
>          Issue Type: Task
>            Reporter: Fang-Yu Rao
>            Priority: Major
>         Attachments: ranger_add_config_screenshot.png
>
>
> Currently for {{SHOW ROLES}} and {{SHOW ROLE GRANT GROUP/USER}} statements, 
> Impala calls 
> [RangerUtil#validateRangerAdmin()|https://github.com/apache/impala/blob/ac1e178/fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java#L112-L124]
>  to check whether the requesting user has the necessary permission. Under the 
> covers, we make a REST call to the Ranger server.
> {code:java}
>     plugin.getAllRoles(user, null);
> {code}
>  
> We could probably replace the above call with 
> [RangerBasePlugin#isServiceAdmin()|https://github.com/apache/ranger/blob/c5b55a4/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L968-L980]
>  to check requesting user's permission, since this is what Apache Hive also 
> does in 
> [RangerHiveAuthorizer#getAllRoles()|https://github.com/apache/ranger/blob/c5b55a4/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L1189]
>  when Ranger is the authorization provider.
> {code:java}
>             if (!hivePlugin.isServiceAdmin(currentUserName)) {
>                 throw new 
> HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User not 
> authorized to run show roles...");
>             }
> {code}
> To add a user as the service user, it suffices to add the configuration of 
> '{{{}service.admin.users{}}}' via Ranger's web UI as shown in 
> [^ranger_add_config_screenshot.png].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to