[
https://issues.apache.org/jira/browse/IMPALA-8933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kurt Deschler resolved IMPALA-8933.
-----------------------------------
Fix Version/s: Impala 3.4.0
Resolution: Fixed
> Ranger column deny policies not respected under certain circumstances
> ---------------------------------------------------------------------
>
> Key: IMPALA-8933
> URL: https://issues.apache.org/jira/browse/IMPALA-8933
> Project: IMPALA
> Issue Type: Bug
> Components: Security
> Affects Versions: Impala 3.4.0
> Reporter: Kurt Deschler
> Assignee: Kurt Deschler
> Priority: Major
> Labels: ranger
> Fix For: Impala 3.4.0
>
>
> Ranger authorization checker missed a case of handling column level deny
> policies for select and insert statements. This issue causes the policies to
> not be enforced and can allow unintended access to protected columns.
> Steps to Repro:
> Connect impala-shell as admin:
> CREATE table(c1 int, c2 int);
> INSERT INTO T1 VALUES(1,1);
> In Ranger:
> Add policies:
> 1) Name t1allow, Database *, Table t1,
> Allow conditions user: <unix login>, Permissions: select
> 2) Name t1deny, Database *, Table t1,
> Deny conditions user: <unix login>, Permissions: select
> Connect impala-shell as <unix login>:
> SELECT c1 from t1; -- Not allowed
> SELECT c2 from t1; -- Allowed
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
