[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

[Quanlong Huang (Code Review)]

Quanlong Huang has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is 
enabled for the user
......................................................................


Patch Set 4:

(1 comment)

Changes for the last PS: populate the column names to AuthorizableTable so we 
can check all column masking policies of the table until we match a real mask 
policy(i.e. not an unmask policy).

http://gerrit.cloudera.org:8080/#/c/17230/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
File 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java:

http://gerrit.cloudera.org:8080/#/c/17230/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@658
PS3, Line 658:     // Check if masking is enabled for any column in the 
table/view.
             :     if (accessResult.getIsAllowed()) {
             :       List<String> columns;
             :       if (authorizable.getType() == Type.TABLE) {
             :         // Check all columns.
             :         columns = ((AuthorizableTable) 
authorizable).getColumns();
             :         LOG.trace("Checking mask policies on {} columns of table 
{}", columns.size(),
             :             authorizable.getFullTableName())
This is the cause of the flakiness. When multiple column masking policies 
exists, we only pick one and check one. However, the policy can be in "unmask" 
type which returns false in isMaskEnabled(). Then the table is considered no 
masking at all, regardless other unpicked policies. Codes here are similar to 
Hive's. So Hive also has this problem. Filed RANGER-3225 for Hive ranger plugin.

We fix this in the next patch set by checking masking policies on all columns 
until we meet one that is actual enabled.



--
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 4
Gerrit-Owner: Quanlong Huang <huangquanl...@gmail.com>
Gerrit-Reviewer: Aman Sinha <amsi...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <csringho...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fangyu....@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <huangquanl...@gmail.com>
Gerrit-Comment-Date: Mon, 29 Mar 2021 09:18:51 +0000
Gerrit-HasComments: Yes