Dimitris Tsirogiannis has uploaded a new change for review. http://gerrit.cloudera.org:8080/7064
Change subject: IMPALA-4965: Authorize access to runtime profile and exec summary ...................................................................... IMPALA-4965: Authorize access to runtime profile and exec summary Bug: When Sentry-based authorization is enabled, a user that isn't authorized to EXPLAIN a statement that uses a view can still access unauthorized information, such as view's definition, by running the statement and asking for the query profile or the execution summary. Fix: During query compilation, determine if the user can access the full runtime profile or the execution summary. Upon request for a runtime profile or execution summary from a user, determine based on that information and the user that is asking for the profile if a full or a limited runtime profile (or execution summary) will be returned. The authorization rule enforced is the following: - User A runs statement S, A asks for profile, A has full profile access: Full profile is returned - User A runs statement S, A asks for profile, A doesn't have full profile access: Limited profile is returned - User A runs statement S, user B asks for profile: Limited profile is returned. This patch doesn't enforce access to the runtime profile or execution summary through the Web UI. Change-Id: I2255d587367c2d328590ae8534a5406c4b0c9b15 --- M be/src/service/client-request-state.cc M be/src/service/client-request-state.h M be/src/service/impala-beeswax-server.cc M be/src/service/impala-hs2-server.cc M be/src/service/impala-http-handler.cc M be/src/service/impala-server.cc M be/src/service/impala-server.h M common/thrift/ImpalaInternalService.thrift M fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M tests/authorization/test_authorization.py 11 files changed, 281 insertions(+), 37 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/64/7064/1 -- To view, visit http://gerrit.cloudera.org:8080/7064 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2255d587367c2d328590ae8534a5406c4b0c9b15 Gerrit-PatchSet: 1 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Dimitris Tsirogiannis <[email protected]>
