Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )
Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user ...................................................................... Patch Set 3: (1 comment) I realized that audits are not handled correctly. It should be marked as denied by the masking policy. Refactor the change to check masking policies in a deeper place so we can modify the deny audit. Also added some audit unit tests. However, RangerAuditLogTest.testAuditsForColumnMasking seems flaky. Still debugging on it. http://gerrit.cloudera.org:8080/#/c/17230/2/fe/src/main/java/org/apache/impala/authorization/Privilege.java File fe/src/main/java/org/apache/impala/authorization/Privilege.java: http://gerrit.cloudera.org:8080/#/c/17230/2/fe/src/main/java/org/apache/impala/authorization/Privilege.java@93 PS2, Line 93: return this == ALTER || this == DROP || this == CREATE || this == INSERT > Curious if INVALIDATE METADATA <table> command will/should be blocked with Yes, it requires REFRESH privilege: https://github.com/apache/impala/blob/311938b4f500aeb26f5a42cd955231588821e18b/fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java#L192 Added test cases for this. -- To view, visit http://gerrit.cloudera.org:8080/17230 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326 Gerrit-Change-Number: 17230 Gerrit-PatchSet: 3 Gerrit-Owner: Quanlong Huang <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Fri, 26 Mar 2021 03:19:40 +0000 Gerrit-HasComments: Yes
