Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/20508 )
Change subject: IMPALA-12398: Fix Ranger role not exists when altering db/table/view owner to a role ...................................................................... IMPALA-12398: Fix Ranger role not exists when altering db/table/view owner to a role When Role '<ROLE_NAME>' is created with Ranger authorization enabled, if 'ALTER TABLE <TABLE_NAME> SET OWNER ROLE <ROLE_NAME>' statement is executed to assign role as the owner of the table, it will throw AnalysisException:Role '<ROLE_NAME>' does not exist. Before this patch, given the ALTER DATABASE/TABLE/VIEW SET OWNER ROLE statement, Impala always checked the existence of the given role in its AuthorizationPolicy. However, when the support for role-related statements with Ranger was added in IMPALA-10211, we only added the roles in RangerImpalaPlugin instead of AuthorizationPolicy. Therefore, the statement above would fail even though an authorized user tries to set the owner to an existing role in RangerImpalaPlugin. This patch will directly use ranger impala plugin to check the existence of the role, instead of using AuthorizationPolicy object. Tests: - Pass unit tests. test method testAlterView in AuthorizationStmtTest is updated accordingly. - Pass e2e tests. test method _test_ownership in test_ranger.py is updated to cover the new implementation. - Pass core tests with ranger enabled. Change-Id: I2b029bdb90111dbd0eab5189360cc81090225cda Reviewed-on: http://gerrit.cloudera.org:8080/20508 Reviewed-by: Impala Public Jenkins <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- M fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java M fe/src/main/java/org/apache/impala/analysis/AlterTableOrViewSetOwnerStmt.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/NoopAuthorizationFactory.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java A fe/src/test/java/org/apache/impala/authorization/CatalogServiceTestCatalogWithRanger.java M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java M fe/src/test/java/org/apache/impala/testutil/CatalogServiceTestCatalog.java M tests/authorization/test_ranger.py 12 files changed, 197 insertions(+), 14 deletions(-) Approvals: Impala Public Jenkins: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/20508 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I2b029bdb90111dbd0eab5189360cc81090225cda Gerrit-Change-Number: 20508 Gerrit-PatchSet: 9 Gerrit-Owner: ji chen <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: ji chen <[email protected]>
