[
https://issues.apache.org/jira/browse/IMPALA-4951?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bikramjeet Vig resolved IMPALA-4951.
------------------------------------
Resolution: Fixed
Fix Version/s: Impala 2.11.0
https://github.com/cloudera/Impala/commit/00c6c9cb314dc3d6fd5f024253b1e4cc8116e33f
IMPALA-4951: Fix database visibility for user with only column privilege
Currently a database is not visible to a user that only has column
level privileges for tables in that database. This patch will make
the database visible, which is the expected behavior in this case.
Testing: added a test case to verify the same.
Change-Id: Id77904876729c0223fd6ace2d5e7199bd700a33a
Reviewed-on: http://gerrit.cloudera.org:8080/8168
Reviewed-by: Bikramjeet Vig <[email protected]>
Tested-by: Impala Public Jenkins
> Impala does not show database if the user only has column-level access
> ----------------------------------------------------------------------
>
> Key: IMPALA-4951
> URL: https://issues.apache.org/jira/browse/IMPALA-4951
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 2.6.0
> Reporter: Sudarshan
> Assignee: Bikramjeet Vig
> Priority: Critical
> Labels: ramp-up, security
> Fix For: Impala 2.11.0
>
>
> Following are the steps to reproduce it.
> 1) As a Sentry admin user, create the database, table and grant SELECT
> privileges on a selected column to a user. In this example
> {code:java}
> admin user = hive
> restricted user = kms
> database name = test_db
> table name = test_tbl(col1 int, col2 int)
> role name = test_role
> {code}
> Following are the commands to accomplish it.
> {code:java}
> create database test_db;
> create role test_role;
> create table test_db.test_tbl (col1 int, col2 int);
> GRANT SELECT(col1) ON TABLE test_db.test_tbl TO ROLE test_role;
> grant role test_role to group kms;
> show grant role test_role;
> {code}
> (Before second step, do a invalidate metadata in Impala if above was done
> using Hive)
> 2) Now, connect with the user that has the role test_role and list the
> databases (user kms in our example). See inline highlighted with left arrow
> <===
> {code:java}
> [nightly59-2.gce.cloudera.com:25003] > show current roles;
> Query: show current roles
> +-----------+
> | role_name |
> +-----------+
> | test_role |
> +-----------+
> Fetched 1 row(s) in 0.02s
> [nightly59-2.gce.cloudera.com:25003] > show grant role test_role;
> Query: show grant role test_role
> +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+
> | scope | database | table | column | uri | privilege | grant_option |
> create_time |
> +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+
> | COLUMN | test_db | test_tbl | col1 | | SELECT | false |
> Fri, Feb 17 2017 15:50:23.791 |
> +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+
> Fetched 1 row(s) in 0.07s
> [nightly59-2.gce.cloudera.com:25003] > show databases; <==== Note that it
> doesn't displays test_db
> Query: show databases
> +---------+-----------------------+
> | name | comment |
> +---------+-----------------------+
> | default | Default Hive database |
> +---------+-----------------------+
> Fetched 1 row(s) in 0.02s
> [nightly59-2.gce.cloudera.com:25003] >
> {code}
> In contrast, connect using beeline and it does shows the database test_db to
> the user as follows.
> {code:java}
> 0: jdbc:hive2://nightly59-1.gce.cloudera.com:> show current roles;
> +------------+--+
> | role |
> +------------+--+
> | test_role |
> +------------+--+
> 1 row selected (0.816 seconds)
> 0: jdbc:hive2://nightly59-1.gce.cloudera.com:>
> 0: jdbc:hive2://nightly59-1.gce.cloudera.com:> show databases; <==== Note
> that test_db is displayed
> +----------------+--+
> | database_name |
> +----------------+--+
> | default |
> | test_db |
> +----------------+--+
> 2 rows selected (2.804 seconds)
> 0: jdbc:hive2://nightly59-1.gce.cloudera.com:>
> {code}
> Even the Impala editor in Hue doesn't shows the database whereas the Hive
> editor in Hue shows the database if you have access to a column in table in
> that database.
> Thanks,
> Sudarshan
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
