Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/19194 )
Change subject: IMPALA-10986: Require the SELECT privilege to execute a UDF ...................................................................... Patch Set 7: (5 comments) http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG@7 PS7, Line 7: execute > Thanks Csaba! Thanks! Can you mention in the commit message that only udf execution privileges are changed by this patch? http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG@16 PS7, Line 16: After this patch, the user has to be granted the SELECT privilege on the : UDF as well to execute the UDF. > According to my current understanding, Hive does not directly decides what Thanks for the investigation! Yes, I understand that in case of Hive authorization is done mainly in Ranger's Hive plugin, so when I wrote Hive I meant this Ranger plugin. Is my understanding correct that Impalas behavior will still not match completely with Hive's as in Impala the UDF level select privilege is not enough, we also need a database level select/insert/refresh privilege? http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG@24 PS7, Line 24: GRANT SELECT ON USER_DEFINED_FN <db_name>.<udf_name> TO USER <user_name> > As mentioned above, the authorization decision is mainly made by Ranger if Thanks for looking into this! http://gerrit.cloudera.org:8080/#/c/19194/7//COMMIT_MSG@34 PS7, Line 34: > I have verified that in Cloudera's distribution of Hive (the one we provide HMS seems to have an owner field for functions - I don't know whether if affects authorization https://github.com/apache/hive/blob/4144cd94a155d1cda828e52f6f881a430cc7aaf4/standalone-metastore/metastore-common/src/main/thrift/hive_metastore.thrift#L1022 I am ok with not going into ownership in the patch, but a follow up Jira could be created about setting that field. http://gerrit.cloudera.org:8080/#/c/19194/7/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java: http://gerrit.cloudera.org:8080/#/c/19194/7/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@572 PS7, Line 572: onUdf > I am a bit confused here. I meant the case when there is a select privilege on functional.f, but only a different privilege, e.g. insert on functional. In this case we should allow the operation, right? -- To view, visit http://gerrit.cloudera.org:8080/19194 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740 Gerrit-Change-Number: 19194 Gerrit-PatchSet: 7 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Wed, 23 Nov 2022 14:58:00 +0000 Gerrit-HasComments: Yes
