[jira] [Resolved] (IMPALA-12398) Ranger role not exists when altering db/table/view owner to a role

Tue, 26 Dec 2023 20:47:03 -0800 


     [ 
https://issues.apache.org/jira/browse/IMPALA-12398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Quanlong Huang resolved IMPALA-12398.
-------------------------------------
    Fix Version/s: Impala 4.4.0
       Resolution: Fixed

Resolving this. Thank [[email protected]]!

> Ranger role not exists when altering db/table/view owner to a role
> ------------------------------------------------------------------
>
>                 Key: IMPALA-12398
>                 URL: https://issues.apache.org/jira/browse/IMPALA-12398
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>            Reporter: Quanlong Huang
>            Assignee: ji.chen
>            Priority: Critical
>              Labels: ramp-up
>             Fix For: Impala 4.4.0
>
>
> To reproduce the issue, start Impala cluster with Ranger authorization 
> enabled:
> {code:bash}
> bin/start-impala-cluster.py --impalad_args="--server-name=server1 
> --ranger_service_type=hive --ranger_app_id=impala 
> --authorization_provider=ranger" --catalogd_args="--server-name=server1 
> --ranger_service_type=hive --ranger_app_id=impala 
> --authorization_provider=ranger"
> {code}
> Create a role "hql_test" and a temp table "tmp_tbl", then set the owner of it 
> to the role:
> {code:sql}
> $ impala-shell.sh -u admin
> default> create table tmp_tbl(id int);
> default> create role hql_test;
> default> alter table tmp_tbl set owner role hql_test;
> Query: alter table tmp_tbl set owner role hql_test
> ERROR: AnalysisException: Role 'hql_test' does not exist.
> {code}
> However, SHOW ROLES can show the role:
> {code:sql}
> default> show roles;
> Query: show roles
> +-----------+
> | role_name |
> +-----------+
> | hql_test  |
> +-----------+
> Fetched 1 row(s) in 0.01s
> {code}
> Ranger roles are not loaded in Impala's catalog cache. We should either load 
> them or use RangerPlugin to check existence of a role. Code snipper of the 
> role check:
> {code:java}
> if (analyzer.isAuthzEnabled() && owner_.getOwnerType() == TOwnerType.ROLE
>     && analyzer.getCatalog().getAuthPolicy().getRole(ownerName) == null) {
>   throw new AnalysisException(String.format("Role '%s' does not exist.", 
> ownerName));
> }
> {code}
> https://github.com/apache/impala/blob/08501cef2df16991bbd99656c696b978f08aeebe/fe/src/main/java/org/apache/impala/analysis/AlterTableOrViewSetOwnerStmt.java#L56
> CC [~fangyurao]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to