Quanlong Huang has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18684 )
Change subject: IMPALA-10122 (Part 2): Allow accessing views created by non-superusers ...................................................................... IMPALA-10122 (Part 2): Allow accessing views created by non-superusers This patch allows Impala users to access views created by non-superusers in HiveMetaStore, i.e., views with the table property of 'Authorized' set to false. Recall that a user is considered as a non-superuser by HiveMetaStore if the IP address of the user is not on the list specified by the Hadoop configuration of 'hadoop.proxyuser.<username>.hosts', where <username> denotes the short name corresponding to the Kerberos principal name of the user. For a view created by a non-superuser, HiveMetaStore adds to the view the table property of 'Authorized' and sets the value of this property to false after HIVE-24026. We prevented any Impala user from accessing such views in part 1 of this JIRA. To enable an Impala user to access such views, this patch enforces the privilege checks for the underlying tables of a view additionally if the given view was created by a non-superuser in HiveMetaStore. Testing: - Added an E2E test to verify the necessary privileges on the underlying tables are required in order to access a view created by a non-superuser. Change-Id: I50a50931c6eeb0feec28c30531b09269622e6aad Reviewed-on: http://gerrit.cloudera.org:8080/18684 Reviewed-by: Impala Public Jenkins <[email protected]> Reviewed-by: Quanlong Huang <[email protected]> Tested-by: Quanlong Huang <[email protected]> --- M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M fe/src/main/java/org/apache/impala/analysis/DropTableOrViewStmt.java M fe/src/main/java/org/apache/impala/analysis/InlineViewRef.java M fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java M fe/src/main/java/org/apache/impala/service/Frontend.java M tests/authorization/test_ranger.py 11 files changed, 187 insertions(+), 128 deletions(-) Approvals: Impala Public Jenkins: Looks good to me, approved Quanlong Huang: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/18684 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I50a50931c6eeb0feec28c30531b09269622e6aad Gerrit-Change-Number: 18684 Gerrit-PatchSet: 5 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Kurt Deschler <[email protected]> Gerrit-Reviewer: Michael Smith <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: Vincent Tran <[email protected]>
