Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/14894 )
Change subject: IMPALA-9009: Core support for Ranger column masking ...................................................................... Patch Set 12: (2 comments) http://gerrit.cloudera.org:8080/#/c/14894/12/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java: http://gerrit.cloudera.org:8080/#/c/14894/12/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@a2923 PS12, Line 2923: As I recall, the second argument to the function substr() starts from 1 instead of 0. It may be better to replace the second argument with 1 if we decide to keep this unit test in the end. Or you use 0 as the second argument for some specific reason? Thanks! http://gerrit.cloudera.org:8080/#/c/14894/12/testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking.test File testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking.test: http://gerrit.cloudera.org:8080/#/c/14894/12/testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking.test@240 PS12, Line 240: 0aaaaaa > It looks like the 3rd column masking policy (the one concatenating the cont Moreover, after executing the SQL statements above in an Impala cluster without Ranger being enabled, I got the following results. +----+----------+------------+---------+-----+------------+ | id | bool_col | string_col | int_col | cnt | string_col | +----+----------+------------+---------+-----+------------+ | 0 | true | 0 | 0 | 4 | 0 | | 1 | false | 1 | 1 | 4 | 1 | +----+----------+------------+---------+-----+------------+ That is, there are actually two returned rows instead of 1 row when authorization is not enabled. Intuitively, when column masking is enabled, the number of rows returned should still be the same. My guess is that one of the masked columns in the table 'v1', i.e., 'v1.id', also appears in the corresponding predicate when joining table 'iv1' and table 'iv2' (iv1.id = iv2.int_col), and since the column of 'v1.id' in the row with 'id' equal to 1 (before the transformation) has been multiplied by 100, this transformed row cannot find any matching row in the table 'iv2'. Is my understanding correct? Thanks! -- To view, visit http://gerrit.cloudera.org:8080/14894 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4cad60e0e69ea573b7ecfc011b142c46ef52ed61 Gerrit-Change-Number: 14894 Gerrit-PatchSet: 12 Gerrit-Owner: Quanlong Huang <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Kurt Deschler <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: Vihang Karajgaonkar <[email protected]> Gerrit-Comment-Date: Mon, 06 Jan 2020 21:38:35 +0000 Gerrit-HasComments: Yes
