Todd Lipcon has posted comments on this change. ( http://gerrit.cloudera.org:8080/12927 )
Change subject: IMPALA-8363: Deny access when column masking or row filtering is enabled in Ranger ...................................................................... Patch Set 4: (1 comment) http://gerrit.cloudera.org:8080/#/c/12927/4/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java File fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java: http://gerrit.cloudera.org:8080/#/c/12927/4/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@160 PS4, Line 160: case COLUMN: > I had somewhat similar concerns and I was chatting with Fredy offline on ho Yea I didn't think about masking in views -- does that apply based on the base table masking permissions instead of the view permissions? Either way I think we could probably extend the PrivilegeRequest structure to have some more info, like whether the requested column/table is directly accessed or via a resolved view, and be more accurate about the requested permission being 'view_metadata' vs 'select' so that we can treat them differently here. -- To view, visit http://gerrit.cloudera.org:8080/12927 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: If46b4bf24d916e4a4ea8a36ff4acfd95d5f45c8e Gerrit-Change-Number: 12927 Gerrit-PatchSet: 4 Gerrit-Owner: Fredy Wijaya <[email protected]> Gerrit-Reviewer: Austin Nobis <[email protected]> Gerrit-Reviewer: Bharath Vissapragada <[email protected]> Gerrit-Reviewer: Fredy Wijaya <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-Comment-Date: Fri, 05 Apr 2019 20:50:40 +0000 Gerrit-HasComments: Yes
