Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/14894 )
Change subject: IMPALA-9009: Core support for Ranger column masking ...................................................................... Patch Set 12: (2 comments) > Patch Set 11: > > (2 comments) > > Thanks for looking into the tests, Fang-Yu! > > I also updated the design doc for this patch: > https://docs.google.com/document/d/1GC7au6F5Snp8zQisRopOhKSjKsI1XPPg8S2foQxfJrA/edit?usp=sharing > Hope it can ease the review process! Thanks for the pointer Quanlong! I will read the design doc today to have a deeper understanding of your patch. http://gerrit.cloudera.org:8080/#/c/14894/11/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java: http://gerrit.cloudera.org:8080/#/c/14894/11/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@2918 PS11, Line 2918: .error(rowFilterError(String.forma > I'm not sure whether we should delete this test (testColumnMaskEnabled). Th Thanks for the confirmation! According to https://github.com/apache/impala/blob/master/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java#L137, in a Ranger test, the requesting user 'user_' will be set to "new User("non_owner")", which is not the owner of the resource. In my dev environment, if I execute something like "authorize(String.format("select string_col from functional.%s", tableName)).ok()", I will get the following error message. org.apache.impala.authorization.AuthorizationException: Principal: non_owner Statement: select string_col from functional.alltypes Error: User 'non_owner' does not have privileges to execute 'SELECT' on: functional.alltypes If there is no error message produced in your dev environment, then it implies either 1) the requesting user corresponds to "new (System.getProperty("user.name"))", which is the owner of the resource, or 2) the requesting user corresponds to 'non_owner', but 'non_owner' still possesses sufficient privileges. Considering the function ok() in AuthorizationTestBase.java will always clean up the granted privileges after testing a query (https://github.com/apache/impala/blob/master/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java#L417), I was also wondering if it is possible that the function call "withPrincipal.cleanUp()" does not really revoke the privileges sometimes. Or, is it possible that there are still some granted privileges to 'non_owner' left on the Ranger server that make Ranger approve the request (maybe due to some previous FE or EE tests)? http://gerrit.cloudera.org:8080/#/c/14894/11/tests/authorization/test_ranger.py File tests/authorization/test_ranger.py: http://gerrit.cloudera.org:8080/#/c/14894/11/tests/authorization/test_ranger.py@838 PS11, Line 838: finally: > Good point! Added the REVOKE. Thanks Quanlong! -- To view, visit http://gerrit.cloudera.org:8080/14894 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4cad60e0e69ea573b7ecfc011b142c46ef52ed61 Gerrit-Change-Number: 14894 Gerrit-PatchSet: 12 Gerrit-Owner: Quanlong Huang <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Kurt Deschler <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: Vihang Karajgaonkar <[email protected]> Gerrit-Comment-Date: Mon, 06 Jan 2020 17:50:25 +0000 Gerrit-HasComments: Yes
