ji chen has uploaded a new patch set (#5). ( http://gerrit.cloudera.org:8080/20508 )
Change subject: IMPALA-12398: Fix Ranger role not exists when altering db/table/view owner to a role ...................................................................... IMPALA-12398: Fix Ranger role not exists when altering db/table/view owner to a role When Role '<ROLE_NAME>' is created with Ranger authorization enabled, if 'ALTER TABLE <TABLE_NAME> SET OWNER ROLE <ROLE_NAME>' statement is executed to assign role as the owner of the table, it will throw AnalysisException:Role '<ROLE_NAME>' does not exist. Before this patch, given the ALTER DATABASE/TABLE/VIEW SET OWNER ROLE statement, Impala always checked the existence of the given role in its AuthorizationPolicy. However, when the support for role-related statements with Ranger was added in IMPALA-10211, we only added the roles in RangerImpalaPlugin instead of AuthorizationPolicy. Therefore, the statement above would fail even though an authorized user tries to set the owner to an existing role in RangerImpalaPlugin. This patch will directly use ranger impala plugin to check the existence of the role, instead of using AuthorizationPolicy object. Tests: - Pass unit tests. test method testAlterView in AuthorizationStmtTest is updated accordingly. - Pass e2e tests. test method _test_ownership in test_ranger.py is updated to cover the new implementation. - Pass core tests with ranger enabled. Change-Id: I2b029bdb90111dbd0eab5189360cc81090225cda --- M fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java M fe/src/main/java/org/apache/impala/analysis/AlterTableOrViewSetOwnerStmt.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/NoopAuthorizationFactory.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java A fe/src/test/java/org/apache/impala/authorization/CatalogServiceTestCatalogWithRanger.java M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java M fe/src/test/java/org/apache/impala/testutil/CatalogServiceTestCatalog.java M tests/authorization/test_ranger.py 12 files changed, 225 insertions(+), 14 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/08/20508/5 -- To view, visit http://gerrit.cloudera.org:8080/20508 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I2b029bdb90111dbd0eab5189360cc81090225cda Gerrit-Change-Number: 20508 Gerrit-PatchSet: 5 Gerrit-Owner: ji chen <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: ji chen <[email protected]>
