Fang-Yu Rao has uploaded this change for review. ( http://gerrit.cloudera.org:8080/16423
Change subject: IMPALA-10122 (Part 1): Deny access to views not authorized at creation ...................................................................... IMPALA-10122 (Part 1): Deny access to views not authorized at creation After HIVE-24026, a non-superuser is allowed to create, alter, and drop a view directly in the HiveMetaStore via a Spark client without the Impala FE or the HiveServer2 being involved to perform the corresponding authorization checks to see if the non-superuser possesses the required privileges on the underlying tables. This opens up the possibility that a non-superuser is able to replace the underlying tables referenced in a view with some other tables even though this non-superuser does not possess the necessary privileges on those tables substituting for the tables originally referenced in the view. Recall that currently when a user is requesting to select a view in Impala, the Impala FE only requires that there is a Ranger policy granting the requesting user the SELECT privilege on the view but not the SELECT privileges on the underlying tables of the view. Therefore, with the change of HIVE-24026, a non-superuser is able to access the data in tables for which the permission was not granted through either i) an ALTER VIEW statement, or ii) a CREATE VIEW statement followed by a DROP VIEW statement given that there is already a Ranger policy allowing this user to select this view. To prevent a user from accessing the data in tables on which the user does not possess the required privileges, we could employ the Boolean table property of 'Authorized' that was introduced in HIVE-24026. Specifically, after HIVE-24026, if a view was created without the corresponding privileges on the underlying tables being checked, the HiveMetaStore would set this property to false and the property will not be added if the view was authorized at creation time for backward compatibility. Based on this table property, it is possible for the Impala FE to determine whether or not it should additionally check for the requesting user's privileges on the underlying tables of a view after HIVE-24026 at selection time, but it would require a more thorough investigation regarding how to revise the way the Impala FE registers the authorization requests given a query. To mitigate this potential security breach before we figure out how to perform authorization for a view whose creation was not authorized, in this patch, we introduce a temporary field of 'viewCreatedWithoutAuthz_' in the class of AuthorizableTable that indicates whether or not a given table corresponds a view that was not authorized at creation time, allowing the Impala FE to deny the SELECT access to a view whose creation was not authorized in BaseAuthorizationChecker#authorizeTableAccess(). Testing: - Manually verified that after using beeline to set the table property of 'Authorized' corresponding to a view to false, no user is able to select data from this view. Recall that Impala does not support the ALTER VIEW SET TBLPROPERTIES statement. - Verified that the patch could pass the exhaustive tests in the DEBUG build. Change-Id: I73965e05586771de85fa6f73c452e3de4f312034 --- M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M fe/src/main/java/org/apache/impala/analysis/DescribeTableStmt.java M fe/src/main/java/org/apache/impala/analysis/DropTableOrViewStmt.java M fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java 9 files changed, 156 insertions(+), 23 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/23/16423/1 -- To view, visit http://gerrit.cloudera.org:8080/16423 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I73965e05586771de85fa6f73c452e3de4f312034 Gerrit-Change-Number: 16423 Gerrit-PatchSet: 1 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: Vihang Karajgaonkar <[email protected]>
