Fang-Yu Rao has uploaded a new patch set (#4). ( http://gerrit.cloudera.org:8080/17640 )
Change subject: IMPALA-10436: Require lower privilege for external Kudu table creation ...................................................................... IMPALA-10436: Require lower privilege for external Kudu table creation This patch lowers the privilege requirement for external Kudu table creation. Before this patch, a user was required to have the ALL privilege on SERVER if the user wanted to create an external Kudu table. In this patch we introduce a new type of resources called storage handler URI and a new access type called RWSTORAGE that are recently supported by Ranger. Specifically, after this patch, a user will be allowed to create an external Kudu table as long as the user is granted the RWSTORAGE privilege on the resource specified by a storage handler URI that points to the existing Kudu table. For instance, in order for a user 'non_owner' to create an external Kudu table based on an existing Kudu table 'impala::tpch_kudu.nation', it suffices to execute the following command as an administrator to grant the necessary privilege to the requesting user, where "localhost" is the default address of Kudu master host assuming there is only one single master host in this example. GRANT RWSTORAGE ON STORAGEHANDLER_URI 'kudu://localhost/impala::tpch_kudu.nation' TO USER non_owner One may be wondering why we do not simply cancel the privilege check that required the ALL privilege on SERVER for external Kudu table creation. One scenario in which such a relaxation is not secure is when the owner or the creator of the existing Kudu table is different from the requesting user who wants to create an external Kudu table in Impala. Not requiring any additional privilege check would allow a user without any privilege to retrieve the contents of the existing Kudu table. On the other hand, after this patch we still require a user to have the ALL privilege on SERVER when the table property of 'kudu.master_addresses' is specified in a query that tries to create a Kudu table whether or not the table is external. We do not relax such a requirement in that specifying the addresses of Kudu master hosts to connect should still be considered as an administrative operation. Testing: - Added various FE and E2E tests to verify Impala's behavior after this patch with respect to external Kudu table creation. - Verified that this patch passes the core tests on the DEBUG build. Change-Id: I7936e1d8c48696169f7ad7ad92abe44a26eea3c4 --- M common/thrift/CatalogObjects.thrift M fe/src/main/cup/sql-parser.cup M fe/src/main/java/org/apache/impala/analysis/CreateTableStmt.java M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java M fe/src/main/java/org/apache/impala/analysis/ShowGrantPrincipalStmt.java A fe/src/main/java/org/apache/impala/analysis/StorageHandlerUri.java M fe/src/main/java/org/apache/impala/authorization/Authorizable.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java A fe/src/main/java/org/apache/impala/authorization/AuthorizableStorageHandlerUri.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/Privilege.java M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaResourceBuilder.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java M fe/src/main/jflex/sql-scanner.flex M fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java M testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test M tests/authorization/test_ranger.py 25 files changed, 700 insertions(+), 229 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/40/17640/4 -- To view, visit http://gerrit.cloudera.org:8080/17640 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I7936e1d8c48696169f7ad7ad92abe44a26eea3c4 Gerrit-Change-Number: 17640 Gerrit-PatchSet: 4 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]>
