[Impala-ASF-CR] IMPALA-10436: Require lower privilege for external Kudu table creation

Sun, 04 Jul 2021 19:50:15 -0700 

Fang-Yu Rao has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/17640 )

Change subject: IMPALA-10436: Require lower privilege for external Kudu table 
creation
......................................................................


Patch Set 3:

(1 comment)

There is another drawback of the proposed approach to addressing the security 
concern mentioned previously.

http://gerrit.cloudera.org:8080/#/c/17640/3/fe/src/main/java/org/apache/impala/analysis/CreateTableStmt.java
File fe/src/main/java/org/apache/impala/analysis/CreateTableStmt.java:

http://gerrit.cloudera.org:8080/#/c/17640/3/fe/src/main/java/org/apache/impala/analysis/CreateTableStmt.java@341
PS3, Line 341: if (getTblProperties().containsKey(KuduTable.KEY_MASTER_HOSTS) ||
             :           (isExternal && 
!BackendConfig.INSTANCE.isKuduAuthorizationEnabled())) {
             :         String authzServer = authzConfig.getServerName();
             :         Preconditions.checkNotNull(authzServer);
             :         analyzer.registerPrivReq(builder -> 
builder.onServer(authzServer).all().build());
             :       }
> After some more thoughts, I came up with a solution that could address the
Another drawback of the approach to addressing the security concern is that the 
additional privilege (the ALL privilege on the table 
"kudu_unique.kudu_tbl_name") could not be granted to the requesting user in 
Impala shell because the database and the table do not exist from Impala's 
perspective and thus the analysis of the query would fail. For now to grant the 
privilege, we need to do it via Ranger's web UI or via Ranger's REST API's.



--
To view, visit http://gerrit.cloudera.org:8080/17640
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I7936e1d8c48696169f7ad7ad92abe44a26eea3c4
Gerrit-Change-Number: 17640
Gerrit-PatchSet: 3
Gerrit-Owner: Fang-Yu Rao <[email protected]>
Gerrit-Reviewer: Aman Sinha <[email protected]>
Gerrit-Reviewer: Csaba Ringhofer <[email protected]>
Gerrit-Reviewer: Fang-Yu Rao <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Quanlong Huang <[email protected]>
Gerrit-Comment-Date: Mon, 05 Jul 2021 02:50:04 +0000
Gerrit-HasComments: Yes

Reply via email to