Quanlong Huang created IMPALA-11501:
---------------------------------------
Summary: Add flag to allow metadata-cache operations on masked
tables
Key: IMPALA-11501
URL: https://issues.apache.org/jira/browse/IMPALA-11501
Project: IMPALA
Issue Type: New Feature
Components: Security
Reporter: Quanlong Huang
"REFRESH <table>" and "INVALIDATE METADATA <table>" are the table level
metadata-cache operations that only used in Impala (not Hive, SparkSQL or else).
In Hive-Ranger plugin, when a table is masked (either by column-masking or
row-filtering policy) for a user, the user can't perform any modification
(insert/delete/update) on the table (RANGER-1087, RANGER-1100). However, Hive
doesn't have those metadata-cache operations. It's a grey area whether we
should block them or not.
Currently, Impala blocks metadata-cache operations as well (IMPALA-10554,
IMPALA-11281). However, it's possible that, before upgrade, some data-consumer
jobs already have REFRESH in them. It'd be better to have a flag to allow such
operations for smooth upgrade process.
The flag can be something like "allow_refresh_by_masked_users".
CC [~fangyurao], [~csringhofer]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
