[Impala-CR](cdh5-trunk) IMPALA-3797: Relax privilege requirements for creating/dropping functions
Bharath Vissapragada has abandoned this change. Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions .. Abandoned I need to rethink this a little and I'll post a review to ASF CR. Thanks for the initial set of comments Alex, I'll add you to the new CR. -- To view, visit http://gerrit.cloudera.org:8080/3520 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: abandon Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c Gerrit-PatchSet: 1 Gerrit-Project: Impala Gerrit-Branch: cdh5-trunk Gerrit-Owner: Bharath Vissapragada Gerrit-Reviewer: Alex Behm Gerrit-Reviewer: Dimitris Tsirogiannis
[Impala-CR](cdh5-trunk) IMPALA-3797: Relax privilege requirements for creating/dropping functions
Alex Behm has posted comments on this change. Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions .. Patch Set 1: Any update on this one? -- To view, visit http://gerrit.cloudera.org:8080/3520 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c Gerrit-PatchSet: 1 Gerrit-Project: Impala Gerrit-Branch: cdh5-trunk Gerrit-Owner: Bharath Vissapragada Gerrit-Reviewer: Alex Behm Gerrit-Reviewer: Dimitris Tsirogiannis Gerrit-HasComments: No
[Impala-CR](cdh5-trunk) IMPALA-3797: Relax privilege requirements for creating/dropping functions
Alex Behm has posted comments on this change. Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions .. Patch Set 1: (4 comments) http://gerrit.cloudera.org:8080/#/c/3520/1//COMMIT_MSG Commit Message: PS1, Line 15: Creating Can you summarize the new privilege requirements here and in the JIRA? My understanding is that CREATE FUNCTION needs CREATE privs on the database and ALL privs on the HDFS URI of the function library. (similar for DROP) http://gerrit.cloudera.org:8080/#/c/3520/1/fe/src/main/java/com/cloudera/impala/analysis/CreateFunctionStmtBase.java File fe/src/main/java/com/cloudera/impala/analysis/CreateFunctionStmtBase.java: Line 161: location_.analyze(analyzer, Privilege.ALL, FsAction.READ); For my understanding, any idea why READ on the location is not sufficient? The CREATE FUNCTION does not write/create anything in that URL. In any case, better to be consistent with Hive. http://gerrit.cloudera.org:8080/#/c/3520/1/fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java File fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java: Line 1809 we should still test that the admin can do everything Line 1813: sentryService.grantRoleToGroup(USER, "udf_uri", USER.getName()); add tests to demonstrate what SHOW FUNCTIONS commands the udf_uri user can run -- To view, visit http://gerrit.cloudera.org:8080/3520 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c Gerrit-PatchSet: 1 Gerrit-Project: Impala Gerrit-Branch: cdh5-trunk Gerrit-Owner: Bharath Vissapragada Gerrit-Reviewer: Alex Behm Gerrit-Reviewer: Dimitris Tsirogiannis Gerrit-HasComments: Yes
[Impala-CR](cdh5-trunk) IMPALA-3797: Relax privilege requirements for creating/dropping functions
Bharath Vissapragada has uploaded a new change for review. http://gerrit.cloudera.org:8080/3520 Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions .. IMPALA-3797: Relax privilege requirements for creating/dropping functions Currently Impala expects an ALL privilege at the server level for creating or dropping functions. This is not reasonable because the user ends up getting many more undesirable grants apart from creating/dropping functions. To fix this, we change the grant model to the following - Creating functions now require an ALL privilege on the function URI - Dropping functions doesn't require any specific privileges The above rules make Impala's behavior consistent with Hive. Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c --- M fe/src/main/java/com/cloudera/impala/analysis/CreateFunctionStmtBase.java M fe/src/main/java/com/cloudera/impala/analysis/DropFunctionStmt.java M fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java M fe/src/test/resources/authz-policy.ini.template 4 files changed, 16 insertions(+), 27 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala refs/changes/20/3520/1 -- To view, visit http://gerrit.cloudera.org:8080/3520 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c Gerrit-PatchSet: 1 Gerrit-Project: Impala Gerrit-Branch: cdh5-trunk Gerrit-Owner: Bharath Vissapragada
