Halim Kim has posted comments on this change. ( http://gerrit.cloudera.org:8080/20221 )
Change subject: IMPALA-12291 impala checks hdfs ranger policy ...................................................................... Patch Set 9: (2 comments) http://gerrit.cloudera.org:8080/#/c/20221/5/fe/src/main/java/org/apache/impala/catalog/HdfsTable.java File fe/src/main/java/org/apache/impala/catalog/HdfsTable.java: http://gerrit.cloudera.org:8080/#/c/20221/5/fe/src/main/java/org/apache/impala/catalog/HdfsTable.java@852 PS5, Line 852: location = location.getParent(); > Thanks for the suggestion Quanlong! Your test code will be very helpful. Thank you Fang-Yu. I agree with the idea to hdfs permission check in query analysis when ranger is enabled. however, It seems like query planning gets less thorough just because ranger is enabled. how about adding a flag to decide whether hdfs permission should be checked or not like --hdfs_permission_check=true (or false)? I think it is more reasonable to give user a choice. In other words, Asking user if you want a AnalysisException or Runtime Exception. Of course, we should add guidance to use --hdfs_permission_check flag. Recommend to disable it when ranger is enabled. http://gerrit.cloudera.org:8080/#/c/20221/5/fe/src/main/java/org/apache/impala/service/Frontend.java File fe/src/main/java/org/apache/impala/service/Frontend.java: http://gerrit.cloudera.org:8080/#/c/20221/5/fe/src/main/java/org/apache/impala/service/Frontend.java@2109 PS5, Line 2109: LOG.warn("Analysis Exception query {}: {}", : queryCtx.client_request.stmt, errorMsg); > Not very sure if I missed something. Since we will throw the exception that In retrospect, I think I found it difficult to know which query is in trouble so that I put one more catch statement to catch the query. But now, I realize that there is already AnalysisException message like below. ``` AnalysisException: Unable to INSERT into target table (testdb.testtable) because Impala does not have WRITE access to HDFS location: hdfs://testcluster/warehouse/testdb.db/testtable ``` To conclude, It is not necessary to catch like that because we can find which query has permission issue by an AnalysisException thrown. Thank you for commenting. -- To view, visit http://gerrit.cloudera.org:8080/20221 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Id33c400fbe0c918b6b65d713b09009512835a4c9 Gerrit-Change-Number: 20221 Gerrit-PatchSet: 9 Gerrit-Owner: Halim Kim <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Halim Kim <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Wed, 03 Apr 2024 02:53:02 +0000 Gerrit-HasComments: Yes
