[
https://issues.apache.org/jira/browse/IMPALA-2595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fredy Wijaya resolved IMPALA-2595.
----------------------------------
Resolution: Fixed
> Impala inconsistently checks authorization on query and explain query
> ---------------------------------------------------------------------
>
> Key: IMPALA-2595
> URL: https://issues.apache.org/jira/browse/IMPALA-2595
> Project: IMPALA
> Issue Type: Bug
> Components: Security
> Affects Versions: Impala 2.2
> Reporter: Juan Yu
> Priority: Minor
>
> Impala does different authorization check on select query and explain select
> query.
> For example:
> create table foo (col int);
> create view foo_vw1 as (select * from foo);
> create view foo_vw as (select *, now() from foo);
> select * from foo_vw;
> Impala only checks if user can access the view
> {code}
> I1022 08:49:02.224016 25705 Frontend.java:775] analyze query select * from
> foo_vw
> I1022 08:49:02.226773 25705 ResourceAuthorizationProvider.java:82]
> Authorization Request for Subject [name=user1] [Server [name=server1],
> Database [name=default], Table [name=foo_vw]] and [SELECT]
> I1022 08:49:02.236524 25705 SimpleDBPolicyEngine.java:76] Getting permissions
> for [analyst, user1]
> I1022 08:49:02.236763 25705 SimpleDBPolicyEngine.java:80] result =
> [server=server1->db=iah_crm_analysis, server=server1->db=default,
> server=server1->db=iah_crm_analysis_views,
> server=server1->db=iah_crm_analysis_views->table=simple_view->action=select,
> server=server1->db=_impala_builtins]
> I1022 08:49:02.237030 25705 ResourceAuthorizationProvider.java:113]
> ProviderPrivilege server=server1->db=iah_crm_analysis, RequestPrivilege
> Server=server1->Db=default->Table=foo_vw1->action=select, RoleSet,
> ActiveRoleSet = [ roles = ALL , Result false
> I1022 08:49:02.237216 25705 ResourceAuthorizationProvider.java:113]
> ProviderPrivilege server=server1->db=default, RequestPrivilege
> Server=server1->Db=default->Table=foo_vw1->action=select, RoleSet,
> ActiveRoleSet = [ roles = ALL , Result true
> I1022 08:49:02.237313 25705 Frontend.java:849] create plan
> {code}
> explain select * from foo_vw1;
> Impala checks if user can access both the view and the underlying table
> {code}
> I1022 08:45:15.358471 25705 Frontend.java:775] analyze query explain select *
> from foo_vw1
> I1022 08:45:15.359199 25705 Frontend.java:724] Requesting prioritized load of
> table(s): default.foo_vw1
> I1022 08:45:18.388422 25705 ResourceAuthorizationProvider.java:82]
> Authorization Request for Subject [name=user1] [Server [name=server1],
> Database [name=default], Table [name=foo_vw1]] and [SELECT]
> I1022 08:45:18.393242 25705 ResourceAuthorizationProvider.java:82]
> Authorization Request for Subject [name=user1] [Server [name=server1],
> Database [name=default], Table [name=foo]] and [SELECT]
> {code}
> explain select * from foo_vw;
> if the view contains builtin function, Impala will check if user can access
> the builtin database "_impala_builtins" as well.
> {code}
> I1022 08:41:35.863819 25705 Frontend.java:775] analyze query explain select *
> from foo_vw
> I1022 08:41:35.864527 25705 Frontend.java:724] Requesting prioritized load of
> table(s): default.foo_vw
> I1022 08:41:40.283463 25705 ResourceAuthorizationProvider.java:82]
> Authorization Request for Subject [name=user1] [Server [name=server1],
> Database [name=default], Table [name=foo_vw]] and [SELECT]
> I1022 08:41:40.284415 25705 ResourceAuthorizationProvider.java:82]
> Authorization Request for Subject [name=user1] [Server [name=server1],
> Database [name=default], Table [name=foo]] and [SELECT]
> I1022 08:41:40.288105 25705 ResourceAuthorizationProvider.java:82]
> Authorization Request for Subject [name=user1] [Server [name=server1],
> Database [name=_impala_builtins]] and [INSERT]
> I1022 08:41:40.289621 25705 ResourceAuthorizationProvider.java:82]
> Authorization Request for Subject [name=user1] [Server [name=server1],
> Database [name=_impala_builtins]] and [INSERT]
> {code}
> This doesn't seem make sense.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
