[ https://issues.apache.org/jira/browse/IMPALA-2595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fredy Wijaya resolved IMPALA-2595. ---------------------------------- Resolution: Fixed > Impala inconsistently checks authorization on query and explain query > --------------------------------------------------------------------- > > Key: IMPALA-2595 > URL: https://issues.apache.org/jira/browse/IMPALA-2595 > Project: IMPALA > Issue Type: Bug > Components: Security > Affects Versions: Impala 2.2 > Reporter: Juan Yu > Priority: Minor > > Impala does different authorization check on select query and explain select > query. > For example: > create table foo (col int); > create view foo_vw1 as (select * from foo); > create view foo_vw as (select *, now() from foo); > select * from foo_vw; > Impala only checks if user can access the view > {code} > I1022 08:49:02.224016 25705 Frontend.java:775] analyze query select * from > foo_vw > I1022 08:49:02.226773 25705 ResourceAuthorizationProvider.java:82] > Authorization Request for Subject [name=user1] [Server [name=server1], > Database [name=default], Table [name=foo_vw]] and [SELECT] > I1022 08:49:02.236524 25705 SimpleDBPolicyEngine.java:76] Getting permissions > for [analyst, user1] > I1022 08:49:02.236763 25705 SimpleDBPolicyEngine.java:80] result = > [server=server1->db=iah_crm_analysis, server=server1->db=default, > server=server1->db=iah_crm_analysis_views, > server=server1->db=iah_crm_analysis_views->table=simple_view->action=select, > server=server1->db=_impala_builtins] > I1022 08:49:02.237030 25705 ResourceAuthorizationProvider.java:113] > ProviderPrivilege server=server1->db=iah_crm_analysis, RequestPrivilege > Server=server1->Db=default->Table=foo_vw1->action=select, RoleSet, > ActiveRoleSet = [ roles = ALL , Result false > I1022 08:49:02.237216 25705 ResourceAuthorizationProvider.java:113] > ProviderPrivilege server=server1->db=default, RequestPrivilege > Server=server1->Db=default->Table=foo_vw1->action=select, RoleSet, > ActiveRoleSet = [ roles = ALL , Result true > I1022 08:49:02.237313 25705 Frontend.java:849] create plan > {code} > explain select * from foo_vw1; > Impala checks if user can access both the view and the underlying table > {code} > I1022 08:45:15.358471 25705 Frontend.java:775] analyze query explain select * > from foo_vw1 > I1022 08:45:15.359199 25705 Frontend.java:724] Requesting prioritized load of > table(s): default.foo_vw1 > I1022 08:45:18.388422 25705 ResourceAuthorizationProvider.java:82] > Authorization Request for Subject [name=user1] [Server [name=server1], > Database [name=default], Table [name=foo_vw1]] and [SELECT] > I1022 08:45:18.393242 25705 ResourceAuthorizationProvider.java:82] > Authorization Request for Subject [name=user1] [Server [name=server1], > Database [name=default], Table [name=foo]] and [SELECT] > {code} > explain select * from foo_vw; > if the view contains builtin function, Impala will check if user can access > the builtin database "_impala_builtins" as well. > {code} > I1022 08:41:35.863819 25705 Frontend.java:775] analyze query explain select * > from foo_vw > I1022 08:41:35.864527 25705 Frontend.java:724] Requesting prioritized load of > table(s): default.foo_vw > I1022 08:41:40.283463 25705 ResourceAuthorizationProvider.java:82] > Authorization Request for Subject [name=user1] [Server [name=server1], > Database [name=default], Table [name=foo_vw]] and [SELECT] > I1022 08:41:40.284415 25705 ResourceAuthorizationProvider.java:82] > Authorization Request for Subject [name=user1] [Server [name=server1], > Database [name=default], Table [name=foo]] and [SELECT] > I1022 08:41:40.288105 25705 ResourceAuthorizationProvider.java:82] > Authorization Request for Subject [name=user1] [Server [name=server1], > Database [name=_impala_builtins]] and [INSERT] > I1022 08:41:40.289621 25705 ResourceAuthorizationProvider.java:82] > Authorization Request for Subject [name=user1] [Server [name=server1], > Database [name=_impala_builtins]] and [INSERT] > {code} > This doesn't seem make sense. -- This message was sent by Atlassian JIRA (v7.6.3#76005)