Quanlong Huang created IMPALA-12398:
---------------------------------------
Summary: Ranger role not exists when altering db/table/view owner
to a role
Key: IMPALA-12398
URL: https://issues.apache.org/jira/browse/IMPALA-12398
Project: IMPALA
Issue Type: Bug
Components: Security
Reporter: Quanlong Huang
To reproduce the issue, start Impala cluster with Ranger authorization enabled:
{code:bash}
bin/start-impala-cluster.py --impalad_args="--server-name=server1
--ranger_service_type=hive --ranger_app_id=impala
--authorization_provider=ranger" --catalogd_args="--server-name=server1
--ranger_service_type=hive --ranger_app_id=impala
--authorization_provider=ranger"
{code}
Create a role "hql_test" and a temp table "tmp_tbl", then set the owner of it
to the role:
{code:sql}
$ impala-shell.sh -u admin
default> create table tmp_tbl(id int);
default> create role hql_test;
default> alter table tmp_tbl set owner role hql_test;
Query: alter table tmp_tbl set owner role hql_test
ERROR: AnalysisException: Role 'hql_test' does not exist.
{code}
However, SHOW ROLES can show the role:
{code:sql}
default> show roles;
Query: show roles
+-----------+
| role_name |
+-----------+
| hql_test |
+-----------+
Fetched 1 row(s) in 0.01s
{code}
Ranger roles are not loaded in Impala's catalog cache. We should either load
them or use RangerPlugin to check existence of a role. Code snipper of the role
check:
{code:java}
if (analyzer.isAuthzEnabled() && owner_.getOwnerType() == TOwnerType.ROLE
&& analyzer.getCatalog().getAuthPolicy().getRole(ownerName) == null) {
throw new AnalysisException(String.format("Role '%s' does not exist.",
ownerName));
}
{code}
https://github.com/apache/impala/blob/08501cef2df16991bbd99656c696b978f08aeebe/fe/src/main/java/org/apache/impala/analysis/AlterTableOrViewSetOwnerStmt.java#L56
CC [~fangyurao]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
