Fang-Yu Rao has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18684
Change subject: IMPALA-10122 (Part 2): Allow accessing views created by non-superusers ...................................................................... IMPALA-10122 (Part 2): Allow accessing views created by non-superusers This patch allows Impala users to access views created by non-superusers in HiveMetaStore, i.e., views with the table property of 'Authorized' set to false. Recall that a user is considered as a non-superuser by HiveMetaStore if the IP address of the user is not on the list specified by the Hadoop configuration of 'hadoop.proxyuser.<username>.hosts', where <username> denotes the short name corresponding to the Kerberos principal name of the user. For a view created by a non-superuser, HiveMetaStore adds to the view the table property of 'Authorized' and sets the value of this property to false after HIVE-24026. We prevented any Impala user from accessing such views in part 1 of this JIRA. To enable an Impala user to access such views, this patch enforces the privilege checks for the underlying tables of a view additionally if the given view was created by a non-superuser in HiveMetaStore. Testing: - Added an E2E test to verify the necessary privileges on the underlying tables are required in order to access a view created by a non-superuser. Change-Id: I50a50931c6eeb0feec28c30531b09269622e6aad --- M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M fe/src/main/java/org/apache/impala/analysis/DropTableOrViewStmt.java M fe/src/main/java/org/apache/impala/analysis/InlineViewRef.java M fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java M fe/src/main/java/org/apache/impala/service/Frontend.java M tests/authorization/test_ranger.py 11 files changed, 109 insertions(+), 128 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/84/18684/1 -- To view, visit http://gerrit.cloudera.org:8080/18684 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I50a50931c6eeb0feec28c30531b09269622e6aad Gerrit-Change-Number: 18684 Gerrit-PatchSet: 1 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Kurt Deschler <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: Vincent Tran <[email protected]>
