Hello Quanlong Huang, Aman Sinha, Csaba Ringhofer, Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/19194
to look at the new patch set (#6).
Change subject: IMPALA-10986: Require the SELECT privilege to execute a UDF
......................................................................
IMPALA-10986: Require the SELECT privilege to execute a UDF
This patch registers the SELECT privilege on a UDF during query analysis
for a query that attempts to execute the UDF.
More precisely, before this patch, to execute a UDF, a user only had to
be granted any of the SELECT, INSERT, REFRESH privileges on all the
tables, columns in the database where the UDF belongs to.
After this patch, the user has to be granted the SELECT privilege on the
UDF as well to execute the UDF.
To facilitate managing privileges on UDF's, this patch also adds the
keyword 'USER_DEFINED_FN'. For instance, we could use the following
statement to grant the SELECT privilege on the UDF <udf_name> under the
database <db_name> the a user <user_name>.
GRANT SELECT ON USER_DEFINED_FN <db_name>.<udf_name> TO USER <user_name>
A wildcard in the name of a UDF is also supported. If an administrator
wants to grant to a user only the SELECT privilege on all the tables,
columns but not all the UDF's in a database, after executing "GRANT
SELECT ON DATABASE <db_name> TO USER <user_name>", the following could
be done to revoke the SELECT privilege on all the UDF's in the database
<db_name> from the user <user_name>.
REVOKE SELECT ON USER_DEFINED_FN <db_name>.`*` FROM USER <user_name>
Testing:
- Added various FE and E2E tests to verify Impala's behavior with
respect to UDF execution.
- Verified that this patch passes the core tests in the DEBUG build.
Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740
---
M common/thrift/CatalogObjects.thrift
M fe/src/main/cup/sql-parser.cup
M fe/src/main/java/org/apache/impala/analysis/Analyzer.java
M fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java
M fe/src/main/java/org/apache/impala/analysis/FunctionName.java
M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M
fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
M
fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java
M fe/src/main/jflex/sql-scanner.flex
M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M tests/authorization/test_ranger.py
15 files changed, 381 insertions(+), 21 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/94/19194/6
--
To view, visit http://gerrit.cloudera.org:8080/19194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740
Gerrit-Change-Number: 19194
Gerrit-PatchSet: 6
Gerrit-Owner: Fang-Yu Rao <[email protected]>
Gerrit-Reviewer: Aman Sinha <[email protected]>
Gerrit-Reviewer: Csaba Ringhofer <[email protected]>
Gerrit-Reviewer: Fang-Yu Rao <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Quanlong Huang <[email protected]>
