Fang-Yu Rao has uploaded a new patch set (#4). ( http://gerrit.cloudera.org:8080/15088 )
Change subject: IMPALA-9149: part 2: Re-enable Ranger-related EE tests ...................................................................... IMPALA-9149: part 2: Re-enable Ranger-related EE tests In IMPALA-9047, we disabled some Ranger-related FE and BE tests due to changes in Ranger's behavior after upgrading Ranger from 1.2 to 2.0. This patch aims to re-enable those disabled EE tests in tests/authorization/test_authorized_proxy.py and tests/authorization/test_ranger.py to increase Impala's test coverage of authorization via Ranger. The Ranger-related tests in test_authorized_proxy.py test Impala's delegation for clients. Two types of delegation are supported in Impala, i.e., a user can delegate the execution of a query to either 1) another user, or 2) a group of users. In the former case, Ranger will check whether or not the delegated user specified in the option 'authorized_proxy_user_config' possesses sufficient privileges to access the resources, whereas in the latter case, before checking the delegated group is granted sufficient privileges, Ranger will check with the help of Impala whether or not the delegated user specified in 'authorized_proxy_user_config' belongs to the delegated group specified in 'authorized_proxy_group_config' in the underlying OS. This type of delegation requires Impala to retrieve the groups the delegated user belongs to from the underlying OS and thus if the delegated user does not exist in the underlying OS, Impala would inform Ranger that the delegated user does not belong to any group, which in turn would fail the authorization even though in the policies on the Ranger server, the delegated user belongs to the delegated group and the delegated group is granted sufficient privileges. The re-enabled Ranger tests in test_authorized_proxy.py involve queries in which the delegated user, i.e., 'non_owner', does not exist in the underlying OS. We use 'non_owner' as the delegated user instead of getuser() so that we will have to explicitly grant 'non_owner' sufficient privileges of accessing the resources. To avoid the need for creating an actual delegated user and its corresponding delegated groups in the underlying OS when running the EE tests, we added to 'impalad_args' an additional option, i.e., 'use_customized_user_groups_mapper_for_ranger', which, when set to true, allows Impala to use a customized user-to-groups mapping when performing authorization via Ranger. On the other hand, we set the delegated user to getuser() when running the respective Sentry related tests to avoid the need for having to provide Sentry with a customized user-to-groups mapping. To re-enable test_legacy_catalog_ownership() in test_ranger.py, we removed in _test_ownership() a test query that was expected to fail the authorization in Ranger 1.2 but passes the authorization in Ranger 2.0. This is due to the fact that in Ranger 2.0, a user does not have to be explicitly granted the privileges of accessing a resource as long as the user is the owner of the resource. Testing: - Passed FE tests. - Passed the tests in test_authorized_proxy.py. - Passed the tests in test_ranger.py. Change-Id: I17420d7ff9beacd1b4d2ad72b68b8b54983e60cb --- M be/src/common/global-flags.cc M be/src/util/backend-gflag-util.cc M common/thrift/BackendGflags.thrift M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/service/BackendConfig.java M tests/authorization/test_authorized_proxy.py M tests/authorization/test_ranger.py 7 files changed, 90 insertions(+), 103 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/88/15088/4 -- To view, visit http://gerrit.cloudera.org:8080/15088 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I17420d7ff9beacd1b4d2ad72b68b8b54983e60cb Gerrit-Change-Number: 15088 Gerrit-PatchSet: 4 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Kurt Deschler <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]>
