Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/19194 )
Change subject: IMPALA-10986: Require the SELECT privilege to execute a UDF ...................................................................... Patch Set 12: (3 comments) Hi all, I have addressed Csaba's comments in the previous review. Let me know if there is still any other suggestion. Thanks! http://gerrit.cloudera.org:8080/#/c/19194/11/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java: http://gerrit.cloudera.org:8080/#/c/19194/11/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@2986 PS11, Line 2986: uires a) any : // of the INSERT, REFRESH, SELECT privile > This doesn't seem exactly right anymore. Thanks Csaba! I will correct the comment in my next patch. http://gerrit.cloudera.org:8080/#/c/19194/11/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@2995 PS11, Line 2995: // as UDF's will be covered. A requesting user granted > Shouldn't this fail if the privilege is not SELECT? Thanks Csaba! I think this should be expected because according to https://github.com/apache/impala/blob/master/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java#L746-L749, the following privileges on the database will be granted to the requesting user. 1. TPrivilegeLevel.ALL 2. TPrivilegeLevel.OWNER 3. TPrivilegeLevel.SELECT 4. TPrivilegeLevel.INSERT 5. TPrivilegeLevel.REFRESH In addition, when the scope of a privilege is database, all the UDF's as well as all the tables and columns under the database will be covered. Since the ALL, OWNER, and SELECT privileges on the databases are all granted to the requesting user, the requesting user has the ALL, OWNER, and SELECT privileges on a) all the tables and columns , and b) all the UDF's in the database. In the next patch, I will add a code comment to explain this. http://gerrit.cloudera.org:8080/#/c/19194/11/tests/authorization/test_ranger.py File tests/authorization/test_ranger.py: http://gerrit.cloudera.org:8080/#/c/19194/11/tests/authorization/test_ranger.py@1405 PS11, Line 1405: # A user has to be granted a) any of the INSERT, REFRESH, SELECT privileges on all : # the tables and columns in the fallback database, and b) the SELECT privilege on : # the UDF in the fallback database in order to execute the UDF. : admin_client.execute( > The test could be extended to grant another privilege first (e.g. insert), Done -- To view, visit http://gerrit.cloudera.org:8080/19194 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740 Gerrit-Change-Number: 19194 Gerrit-PatchSet: 12 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Wed, 07 Dec 2022 03:51:23 +0000 Gerrit-HasComments: Yes
