Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/19194 )
Change subject: IMPALA-10986: Require the SELECT privilege to execute a UDF ...................................................................... Patch Set 7: (5 comments) http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG@7 PS7, Line 7: execute Does this also affect create/drop function? What privilege is needed in that case? Also, does SHOW FUNCTIONS display function that the user has no right to execute? http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG@16 PS7, Line 16: After this patch, the user has to be granted the SELECT privilege on the : UDF as well to execute the UDF. Hive works like this since a long time, right? Can you mention this in the commit message? http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG@24 PS7, Line 24: GRANT SELECT ON USER_DEFINED_FN <db_name>.<udf_name> TO USER <user_name> Are the privileges created this way compatible with Hive, so enable/disable Udf access in Hive for the user? http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG@34 PS7, Line 34: Are there OWNER privileges on UDFs? Does Hive (or after this patch Impala) add OWNER privileges to the function for the user who created the function? If not, then is it possible that a user can create a function in a DB, but not run it afterwards? http://gerrit.cloudera.org:8080/#/c/19194/7/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java: http://gerrit.cloudera.org:8080/#/c/19194/7/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@572 PS7, Line 572: onUdf Can you add a positive case when there is an onUdf privilege for f but no database level select on the whole db? -- To view, visit http://gerrit.cloudera.org:8080/19194 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740 Gerrit-Change-Number: 19194 Gerrit-PatchSet: 7 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Mon, 21 Nov 2022 14:49:17 +0000 Gerrit-HasComments: Yes
