Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/19194 )
Change subject: IMPALA-10986: Require the SELECT privilege to execute a UDF ...................................................................... IMPALA-10986: Require the SELECT privilege to execute a UDF This patch registers the SELECT privilege on a UDF during query analysis for a SELECT query that attempts to execute the UDF. Only the required privileges for UDF execution are changed. The required privileges for queries like CREATE/DROP FUNCTION or SHOW FUNCTIONS remain the same. More precisely, before this patch, to execute a UDF, a user only had to be granted any of the SELECT, INSERT, REFRESH privileges on all the tables, columns in the database where the UDF belongs to. After this patch, the user has to be granted the SELECT privilege on the UDF as well to execute the UDF. Note that currently in Hive, only the SELECT privilege on the UDF is required when Ranger is the authorization provider. IMPALA-11769 was also created to keep track of the difference in the required privileges between Impala and Hive. To facilitate managing privileges on UDF's, this patch also adds the keyword 'USER_DEFINED_FN'. For instance, we could use the following statement to grant the SELECT privilege on the UDF <udf_name> under the database <db_name> to the user <user_name>. GRANT SELECT ON USER_DEFINED_FN <db_name>.<udf_name> TO USER <user_name> A wildcard in the name of a UDF is also supported. If an administrator wants to grant to a user only the SELECT privilege on all the tables, columns but not all the UDF's in a database, after executing "GRANT SELECT ON DATABASE <db_name> TO USER <user_name>", the following could be done to revoke the SELECT privilege on all the UDF's in the database <db_name> from the user <user_name>. REVOKE SELECT ON USER_DEFINED_FN <db_name>.`*` FROM USER <user_name> Testing: - Added various FE and E2E tests to verify Impala's behavior with respect to UDF execution. - Verified that this patch passes the core tests in the DEBUG build. Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740 Reviewed-on: http://gerrit.cloudera.org:8080/19194 Reviewed-by: Impala Public Jenkins <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- M common/thrift/CatalogObjects.thrift M fe/src/main/cup/sql-parser.cup M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java M fe/src/main/java/org/apache/impala/analysis/FunctionName.java M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java M fe/src/main/jflex/sql-scanner.flex M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java M tests/authorization/test_ranger.py 14 files changed, 467 insertions(+), 38 deletions(-) Approvals: Impala Public Jenkins: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/19194 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740 Gerrit-Change-Number: 19194 Gerrit-PatchSet: 15 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]>
