Fang-Yu Rao created IMPALA-15190:
------------------------------------

             Summary: Allow a role administrator to display the managed roles 
granted to users and groups
                 Key: IMPALA-15190
                 URL: https://issues.apache.org/jira/browse/IMPALA-15190
             Project: IMPALA
          Issue Type: Improvement
          Components: Frontend
            Reporter: Fang-Yu Rao


We started supporting {{ADMIN OPTION}} clause for {{{}GRANT{}}}/{{{}REVOKE 
ROLE{}}} after IMPALA-14954. It may make management of roles easier for a role 
administrator, if a role administrator is allowed to display its managed roles 
granted to users and groups.

 

Currently, we use the following at 
pache/impala/blob/6da4ba8/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L114-L117
 to determine whether a requesting user is allowed to display the roles granted 
to a specified group or user.
{code:java}
      boolean adminOp =
          !(groups.contains(params.getGrant_group())
              || params.getRequesting_user().equals(params.getGrant_user())
              || params.is_show_current_roles);
{code}
 

Specifically, when a) the requesting user does not belong to the specified 
group, and b) the requesting user is not the specified user, and c) the command 
is not {{{}SHOW CURRENT ROLES{}}}, we will require the requesting user to be an 
service administrator (from Ranger's perspective). Such a requirement seems to 
be a bit too restrictive for {{SHOW ROLE GRANT GROUP <group_name>}} and 
{{{}SHOW ROLE GRANT USER <user_name>{}}}.

 

It would make role management easier if we relax the requirement above a bit 
for {{SHOW ROLE GRANT GROUP <group_name>}} and {{{}SHOW ROLE GRANT USER 
<user_name>{}}}. For instance, we may consider changing the checks to the 
following.
 - Check whether the requesting user is a) a service administrator, or b) 
belongs to the group of the specified group, or c) is the specified user. If 
any one of the above is true, we allow the requesting user to display all the 
roles granted to the specified principal (either a group or a user).
 - When the requesting user does not satisfy any requirement above, get the 
list roles of which the requesting user is a role administrator, and the list 
of all the roles granted to the specified principal. Compute the intersection 
of the 2 lists, and return the roles in the intersection to the requesting user.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to