Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/23569 )
Change subject: IMPALA-14507: Register column-level privilege requests for INSERT ...................................................................... Patch Set 7: (1 comment) Thanks to Quanlong for spotting a bug. I will try to prepare a fix for the bug soon. http://gerrit.cloudera.org:8080/#/c/23569/7/tests/authorization/test_ranger.py File tests/authorization/test_ranger.py: http://gerrit.cloudera.org:8080/#/c/23569/7/tests/authorization/test_ranger.py@1489 PS7, Line 1489: def _test_deny_insert_into_column(self, unique_name): Good catch Quanlong! I think you spotted a bug. > Can we add another test that if there is a column-masking policy enabled for > the user on a column, the user shouldn't be able to insert the column but OK > on other columns? IIUC, column-masking policy should block users from > modifying the source of the masked data (RANGER-1087). Assuming that a user was granted the INSERT privilege on a column 'col_1' of a table, the behavior of the current patch does not block this user from inserting data into a column 'col_1', even if there is a column masking policy defined against the user on another column 'col_2' of the same table. I checked the behavior of Hive Server2 with Ranger being the authorizer, and found that HS2 would block the user from inserting into column 'col_1' in the aforementioned scenario. I think we need to slightly revise the logic in RangerAuthorizationChecker#authorizeByTableMasking(). Specifically, when the Authorizable refers to a column, we need to additionally check whether or not there is any column masking policy defined on other columns of the same table against the same requesting user. Don't know if there is a better way, but we may need to add to the class AuthorizableColumn a field of list that consists of all other columns of the same table apart from the column that an instance of AuthorizableColumn corresponds to. This would allow us to check whether there is any other column masking policy defined on any other column of the same table, when authorizeByTableMasking() is invoked. -- To view, visit http://gerrit.cloudera.org:8080/23569 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I2ef61801d3b394c56702b193c250492a62b111df Gerrit-Change-Number: 23569 Gerrit-PatchSet: 7 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Noemi Pap-Takacs <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: Riza Suminto <[email protected]> Gerrit-Comment-Date: Wed, 12 Nov 2025 23:31:46 +0000 Gerrit-HasComments: Yes
