Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/17550 )
Change subject: IMPALA-10728: Check access privileges inside masking expressions ...................................................................... IMPALA-10728: Check access privileges inside masking expressions Row-filtering/column-masking policies may introduce new expressions or tables to the original query, e.g. a column-masking policy can reference other columns that are not used by the original query, a row-filtering policy can filter rows based on a subquery on other tables. Previously, we intend to not checking accesses on these expressions and tables. One reason is that they are hidden and users are not aware of them. The other reason is the expressions are considered to be evaluated by the admin (who creates these policies and has access to all resources). The same for masking policies, i.e. if the hidden tables have masking policies, those policies are not applied recursively. This also avoids infinitely recursively masking. Hive has the same behavior on masking policies. However, Hive does check access privileges inside the masking expressions. To avoid breaking users who may have already depended on this, we adjust our behavior to check access privileges inside the masking expressions as well. Due to this, audits will also be generated on accessing the additional columns. Implementation: Before this patch, we only collect privilege requests when analyzing the original query. When masking expressions are applied and query rewrite rules are applied, we re-analyze the AST without collecting privilege requests. This patch adjusts the behavior to also collect them in the re-analyzing pass after masking expressions are applied. Tests - Add FE tests. - Adjust existing FE audit test to verify the additional audits. - Run CORE tests. Change-Id: I772fa2f5d189b1272e8419ed1fb5b34d373d3601 Reviewed-on: http://gerrit.cloudera.org:8080/17550 Reviewed-by: Aman Sinha <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- M fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java 4 files changed, 107 insertions(+), 36 deletions(-) Approvals: Aman Sinha: Looks good to me, approved Impala Public Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/17550 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I772fa2f5d189b1272e8419ed1fb5b34d373d3601 Gerrit-Change-Number: 17550 Gerrit-PatchSet: 6 Gerrit-Owner: Quanlong Huang <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]>
