Fang-Yu Rao created IMPALA-11281:
------------------------------------
Summary: Consider loading the table metadata for a
ResetMetadataStmt
Key: IMPALA-11281
URL: https://issues.apache.org/jira/browse/IMPALA-11281
Project: IMPALA
Issue Type: Bug
Reporter: Fang-Yu Rao
Assignee: Fang-Yu Rao
Currently when a {{ResetMetadataStmt}} is being analyzed, we do not add its
'{{{}tableName_{}}}' to the given '{{{}tblRefs{}}}' if its
'{{{}partitionSpec_{}}}' is null
([https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java#L131]).
When the metadata of a table is not fully loaded, we won't populate the column
names of a table in its corresponding {{AuthorizableTable}}
([https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L227L229])
since the table is an {{{}IncompleteTable{}}}.
If the column names are not populated in the corresponding
{{AuthorizableTable}} of a table in a {{{}ResetMetadataStmt{}}}, then the logic
inĀ
[RangerAuthorizationChecker#authorizeByTableMasking()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L669-L684]
that is supposed to block the metadata update when there are policies defined
on the columns could not take effect since in this case [((AuthorizableTable)
authorizable).getColumns()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L663]
returns an empty list. That is, such an update would be allowed if there is no
other authorization error.
To reproduce the issue, we could comment out all the test cases in
[RangerAuditLogTest#testAuditsForColumnMasking()|https://github.com/apache/impala/blob/master/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java#L261]
except for the following one. The following test case would fail since the
query "{{{}invalidate metadata functional.alltypestiny{}}}" won't result in any
authorization error. This test case could succeed with its previous test cases
enabled because in the previous test cases, there is at least one invocation to
{{SelectStmt#collectTableRefs()}} that triggers the metadata loading of the
table '{{{}functional.alltypestiny{}}}'.
{code:java}
// Updates on metadata fails by column-masking policies.
authzError(events -> {
assertEquals(1, events.size());
assertEquals("invalidate metadata functional.alltypestiny",
events.get(0).getRequestData());
assertEventEquals("@table", "refresh", "functional/alltypestiny", 0,
events.get(0));
// Make sure it's denied by a column masking policy.
assertTrue(columnMaskingPolicyIds.contains(events.get(0).getPolicyId()));
}, "invalidate metadata functional.alltypestiny",
onServer(TPrivilegeLevel.ALL));
{code}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
