Fang-Yu Rao has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/19252 )

Change subject: IMPALA-11728: Set fallback database for functions
......................................................................


Patch Set 13:

> Patch Set 13: -Code-Review
>
> > Just a minor question, FALLBACK_DB_FOR_FUNCTIONS brings flexibility
>  > to FUNCTION calls, but it breaks the isolation between different
>  > databases, we can still use the Apache Ranger for authorization of
>  > those FUNCTIONs to implement the isolation, right? Has this been
>  > tested?
>
> That is a very good point, Impala should not allow using functions in the 
> fallback database unless the user has some privileges on the given database.
>
> Note that there is an open review related to the authorization of UDFs: 
> https://gerrit.cloudera.org/#/c/19194/
>
> An example authorization test which deals with UDF + sets a query option: 
> https://github.com/apache/impala/blob/52956bae141acf2ecdd7b28ff7edb4d2f2fe3f10/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java#L2932
>
> Note that the AuthorizationStmtTest test suite can be extremely slow to run.

We could probably add a new end-to-end test in 
tests/authorization/test_ranger.py as briefly described in the following if we 
would like to verify Impala's behavior with respect to authorization when the 
query option of 'FALLBACK_DB_FOR_FUNCTIONS' is set.

1. As the user 'admin', execute "create database test_db".

2. As the user 'admin', execute "create function test_db.identity(bigint) 
returns bigint location '/test-warehouse/impala-hive-udfs.jar' 
symbol='org.apache.impala.TestUdf'".

3. As the user 'non_owner', execute "select identity(1)". Verify that the error 
message is "ERROR: AuthorizationException: User 'non_owner' does not have 
privileges to access: default".

4. As the user 'admin', execute "grant refresh on database default to user 
non_owner" and "refresh authorization".

5. As the user 'non_owner', execute "select identity(1)". Verify that the error 
message is "ERROR: AnalysisException: default.identity() unknown for database 
default. Currently this db has 0 functions."

6. As the user 'non_owner', execute "set FALLBACK_DB_FOR_FUNCTIONS=test_db" and 
then "select identity(1)". Verify that the error message is "ERROR: 
AuthorizationException: User 'non_owner' does not have privileges to access: 
test_db".

7. As the user 'admin', execute "grant refresh on database test_db to user 
non_owner" and "refresh authorization".

8. As the user 'non_owner', execute "select identity(1)". Verify that the query 
could be correctly executed. That is, the result should be 1.

Note that currently in order for the user <user_name> to execute a UDF in the 
database <db_name>, the requesting user has to be granted one of the SELECT, 
REFRESH, INSERT privileges on all the tables and all the columns in the 
database. This could be done by an administrator (e.g., the user 'admin') 
submitting to Impala server the command "grant <privilege> on database 
<db_name> to user <user_name>" where <privilege> is SELECT, REFRESH, or INSERT.

There is a similar end-to-end test at 
https://gerrit.cloudera.org/c/19194/8/tests/authorization/test_ranger.py#1154 
written for IMPALA-10986. The name of the new test suggested above could be 
something like "test_select_function_with_fallback_db".


--
To view, visit http://gerrit.cloudera.org:8080/19252
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I37b7e126718fea1c50723cacbaed898b20bb55e5
Gerrit-Change-Number: 19252
Gerrit-PatchSet: 13
Gerrit-Owner: Xiaoqing Gao <[email protected]>
Gerrit-Reviewer: Anonymous Coward <[email protected]>
Gerrit-Reviewer: Csaba Ringhofer <[email protected]>
Gerrit-Reviewer: Fang-Yu Rao <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Quanlong Huang <[email protected]>
Gerrit-Reviewer: Xiaoqing Gao <[email protected]>
Gerrit-Comment-Date: Fri, 25 Nov 2022 06:36:03 +0000
Gerrit-HasComments: No

Reply via email to