Xiaomin Zhang created IMPALA-9269:
-------------------------------------
Summary: Explain on view not allowed with all column granted on
the underlying table
Key: IMPALA-9269
URL: https://issues.apache.org/jira/browse/IMPALA-9269
Project: IMPALA
Issue Type: Bug
Components: Security
Reporter: Xiaomin Zhang
This issue is initially reported in IMPALA-5998 but was marked as "cannot
reproduce". I encountered this exact same issue on the upstream:
[localhost:21000] default> show current roles;
Query: show current roles
+-----------+
| role_name |
+-----------+
| guest |
+-----------+
Fetched 1 row(s) in 0.05s
[localhost:21000] default> show grant role guest;
Query: show grant role guest
+----------+------------------+-------+--------+-----+-----------+--------------+-------------------------------+
| scope | database | table | column | uri | privilege | grant_option |
create_time |
+----------+------------------+-------+--------+-----+-----------+--------------+-------------------------------+
| database | _impala_builtins | | | | select | false | Fri, Dec 13 2019
13:45:00.917 |
| database | default | | | | all | false | Tue, Dec 10 2019 15:43:50.497 |
| column | tpch | test | c | | select | false | Fri, Dec 13 2019 09:43:21.112 |
+----------+------------------+-------+--------+-----+-----------+--------------+-------------------------------+
Fetched 3 row(s) in 0.01s
[localhost:21000] default> show create table tpch.test;
Query: show create table tpch.test
ERROR: AuthorizationException: User 'test' does not have privileges to access:
tpch.test
[localhost:21000] default> select * from tpch.test;
Query: select * from tpch.test
Query submitted at: 2019-12-29 15:56:37 (Coordinator: http://dnode:25000)
Query progress can be monitored at:
http://dnode:25000/query_plan?query_id=234e59a328fc8046:e78b625d00000000
+-----+
| c |
+-----+
| 100 |
+-----+
Fetched 1 row(s) in 0.23s
[localhost:21000] default> create view test_view as select * from tpch.test;
Query: create view test_view as select * from tpch.test
Query submitted at: 2019-12-29 15:57:02 (Coordinator: http://dnode:25000)
Query progress can be monitored at:
http://dnode:25000/query_plan?query_id=ee48927ef97bdc09:1ec2396100000000
+------------------------+
| summary |
+------------------------+
| View has been created. |
+------------------------+
Fetched 1 row(s) in 0.12s
[localhost:21000] default> select * from test_view;
Query: select * from test_view
Query submitted at: 2019-12-29 15:57:07 (Coordinator: http://dnode:25000)
Query progress can be monitored at:
http://dnode:25000/query_plan?query_id=5742d31eee7501ab:2945693500000000
+-----+
| c |
+-----+
| 100 |
+-----+
Fetched 1 row(s) in 5.40s
[localhost:21000] default> explain select * from test_view;
Query: explain select * from test_view
ERROR: AuthorizationException: User 'test' does not have privileges to EXPLAIN
this statement.
[localhost:21000] default> show create view test_view;
Query: show create view test_view
ERROR: AuthorizationException: User 'test' does not have privileges to see the
definition of view 'default.test_view'.
I think there are 2 issues here:
1) User could not see the VIEW definition after creating it
2) User could not explain the VIEW, even with all columns granted
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
