Hello Austin Nobis, Todd Lipcon, Impala Public Jenkins, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/14106 to look at the new patch set (#3). Change subject: [WIP] IMPALA-8228: Ownership support for Ranger authz ...................................................................... [WIP] IMPALA-8228: Ownership support for Ranger authz Without this patch, explicit privileges are needed even for owners of databases/tables to perform actions on them. Example: 'user' is the owner of database 'foo'. To create a table 't' under 'foo', 'user' needs to be granted a CREATE privilege on 'foo' That is unintuitive from a user POV since users expect owners to have ALL privileges on the objects they own. This patch extends that support to Impala's ranger authorization plugin. Ranger natively supports the concept of ownership by letting the callers pass the ownership context to RangerAccessResourceImpl. This patch plumbs the owner information for the authorizables (currently only supported for Tables / Databases) which is then evaulated during authorization. For the ownership based authorization to work, ranger-admin side policy on {OWNER} user needs to be defined. (TODO) Working on tests. Change-Id: I737b7164a3e7afb9996b3402e6872effd663f7b4 --- M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M fe/src/main/java/org/apache/impala/analysis/CollectionTableRef.java M fe/src/main/java/org/apache/impala/analysis/CopyTestCaseStmt.java M fe/src/main/java/org/apache/impala/analysis/DescribeTableStmt.java M fe/src/main/java/org/apache/impala/analysis/InsertStmt.java M fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java M fe/src/main/java/org/apache/impala/analysis/SelectStmt.java M fe/src/main/java/org/apache/impala/authorization/Authorizable.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableColumn.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableDb.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaResourceBuilder.java M fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizableFactory.java M fe/src/main/java/org/apache/impala/catalog/BuiltinsDb.java M fe/src/main/java/org/apache/impala/catalog/Db.java M fe/src/main/java/org/apache/impala/catalog/FeDb.java M fe/src/main/java/org/apache/impala/catalog/FeTable.java M fe/src/main/java/org/apache/impala/catalog/Table.java M fe/src/main/java/org/apache/impala/catalog/local/LocalDb.java M fe/src/main/java/org/apache/impala/catalog/local/LocalTable.java M fe/src/main/java/org/apache/impala/service/Frontend.java 25 files changed, 250 insertions(+), 85 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/06/14106/3 -- To view, visit http://gerrit.cloudera.org:8080/14106 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I737b7164a3e7afb9996b3402e6872effd663f7b4 Gerrit-Change-Number: 14106 Gerrit-PatchSet: 3 Gerrit-Owner: Bharath Vissapragada <bhara...@cloudera.com> Gerrit-Reviewer: Austin Nobis <ano...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org>