Fang-Yu Rao created IMPALA-15190:
------------------------------------
Summary: Allow a role administrator to display the managed roles
granted to users and groups
Key: IMPALA-15190
URL: https://issues.apache.org/jira/browse/IMPALA-15190
Project: IMPALA
Issue Type: Improvement
Components: Frontend
Reporter: Fang-Yu Rao
We started supporting {{ADMIN OPTION}} clause for {{{}GRANT{}}}/{{{}REVOKE
ROLE{}}} after IMPALA-14954. It may make management of roles easier for a role
administrator, if a role administrator is allowed to display its managed roles
granted to users and groups.
Currently, we use the following at
pache/impala/blob/6da4ba8/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L114-L117
to determine whether a requesting user is allowed to display the roles granted
to a specified group or user.
{code:java}
boolean adminOp =
!(groups.contains(params.getGrant_group())
|| params.getRequesting_user().equals(params.getGrant_user())
|| params.is_show_current_roles);
{code}
Specifically, when a) the requesting user does not belong to the specified
group, and b) the requesting user is not the specified user, and c) the command
is not {{{}SHOW CURRENT ROLES{}}}, we will require the requesting user to be an
service administrator (from Ranger's perspective). Such a requirement seems to
be a bit too restrictive for {{SHOW ROLE GRANT GROUP <group_name>}} and
{{{}SHOW ROLE GRANT USER <user_name>{}}}.
It would make role management easier if we relax the requirement above a bit
for {{SHOW ROLE GRANT GROUP <group_name>}} and {{{}SHOW ROLE GRANT USER
<user_name>{}}}. For instance, we may consider changing the checks to the
following.
- Check whether the requesting user is a) a service administrator, or b)
belongs to the group of the specified group, or c) is the specified user. If
any one of the above is true, we allow the requesting user to display all the
roles granted to the specified principal (either a group or a user).
- When the requesting user does not satisfy any requirement above, get the
list roles of which the requesting user is a role administrator, and the list
of all the roles granted to the specified principal. Compute the intersection
of the 2 lists, and return the roles in the intersection to the requesting user.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)