Austin Nobis has uploaded a new patch set (#7). ( http://gerrit.cloudera.org:8080/12769 )
Change subject: IMPALA-8225: Add Ranger support for grant/revoke privilege to/from user ...................................................................... IMPALA-8225: Add Ranger support for grant/revoke privilege to/from user This patch adds support for GRANT privilege statements to USER and REVOKE privilege statements from USER. The RangerAuthorizationManager class has been created and will throw UnsupportedOperationException when an unimplemented method is called. The grammar has been updated to support FROM USER and TO USER for GRANT/REVOKE statements. Previously, privileges could be granted to a ROLE via GRANT/REVOKE statements even when the ROLE keyword was omitted, i.e: GRANT <privilege> ON <resource> TO <role> This is still the case for ROLE based authorization to preserve backward compatibility, but Ranger will throw an exception when a GRANT/REVOKE statement excludes the USER keyword. The syntax for the new statement is: GRANT <privilege> ON <resource> TO USER <user> REVOKE <privilege> ON <resource> FROM USER <user> Sentry does not support grant/revoke to/from user. Testing: - An additional end to end test, test_ranger.py, was added. A single test was added that grants and revokes for a user and asserts permissions on a table. The test uses sleep statements to work with Ranger's polling interval for policy changes. More end to end tests will be added in the future when the refresh authorization statement works properly with Ranger. - AuthorizationStmtTest has been refactored to use the new RangerCatalogdAuthorizationManager grant/revoke methods for better test coverage. - Ran all FE tests - Ran all E2E authorization tests Change-Id: I6ee97bf41546d63385026c0e2b19545565402462 --- M common/thrift/JniCatalog.thrift M fe/src/main/cup/sql-parser.cup M fe/src/main/java/org/apache/impala/analysis/GrantRevokePrivStmt.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/NoneAuthorizationFactory.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationFactory.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/sentry/SentryCatalogdAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/sentry/SentryImpaladAuthorizationManager.java M fe/src/main/java/org/apache/impala/service/CatalogOpExecutor.java M fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java A tests/authorization/test_ranger.py 13 files changed, 598 insertions(+), 224 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/69/12769/7 -- To view, visit http://gerrit.cloudera.org:8080/12769 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I6ee97bf41546d63385026c0e2b19545565402462 Gerrit-Change-Number: 12769 Gerrit-PatchSet: 7 Gerrit-Owner: Austin Nobis <ano...@cloudera.com> Gerrit-Reviewer: Austin Nobis <ano...@cloudera.com> Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
