Impala Public Jenkins has submitted this change and it was merged. Change subject: IMPALA-5489: Improve Sentry authorization for Kudu tables ......................................................................
IMPALA-5489: Improve Sentry authorization for Kudu tables IMPALA-4000 added basic authorization support for Kudu tables, but it had several limitations: * Only the ALL privilege level can be granted to Kudu tables. (Finer-grained levels such as only SELECT or only INSERT are not supported.) * Column level permissions on Kudu tables are not supported. * Only users with ALL privileges on SERVER may create external Kudu tables. This patch relaxes the restrictions to allow: * Allow column-level permissions * Allow fine grained privileges SELECT and INSERT for those statement types. DELETE/UPDATE/UPSERT privileges now require ALL privileges because Sentry will eventually get fine grained privilege actions, and at that point Impala should support the more specific actions (IMPALA-3840). The assumption is that the Kudu table authorization support is currently so limited that most users are not using this functionality yet, but this is a behavior change that needs to be clearly stated in the Impala release notes. Testing: Adds FE and EE tests. Change-Id: Ib12d2b32fa3e142e69bd8b0f24f53f9e5cbf7460 Reviewed-on: http://gerrit.cloudera.org:8080/7307 Reviewed-by: Matthew Jacobs <[email protected]> Tested-by: Impala Public Jenkins --- M fe/src/main/java/org/apache/impala/analysis/InsertStmt.java M fe/src/main/java/org/apache/impala/analysis/ModifyStmt.java M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java M fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java M fe/src/test/java/org/apache/impala/analysis/AuditingTest.java M fe/src/test/java/org/apache/impala/analysis/ParserTest.java M testdata/workloads/functional-query/queries/QueryTest/grant_revoke_kudu.test 7 files changed, 102 insertions(+), 31 deletions(-) Approvals: Impala Public Jenkins: Verified Matthew Jacobs: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/7307 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ib12d2b32fa3e142e69bd8b0f24f53f9e5cbf7460 Gerrit-PatchSet: 6 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Matthew Jacobs <[email protected]> Gerrit-Reviewer: Dimitris Tsirogiannis <[email protected]> Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Matthew Jacobs <[email protected]> Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Thomas Tauber-Marshall <[email protected]>
