[ https://issues.apache.org/jira/browse/IMPALA-10986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fang-Yu Rao resolved IMPALA-10986. ---------------------------------- Fix Version/s: Impala 4.3.0 Resolution: Fixed Resolve this JIRA since the fix has been merged. > Specific privilege should be required to execute a UDF in Impala > ---------------------------------------------------------------- > > Key: IMPALA-10986 > URL: https://issues.apache.org/jira/browse/IMPALA-10986 > Project: IMPALA > Issue Type: Bug > Affects Versions: Impala 4.0.0 > Reporter: Fang-Yu Rao > Assignee: Fang-Yu Rao > Priority: Major > Fix For: Impala 4.3.0 > > Attachments: ranger_policy_for_udfs_impala.png > > > We found that currently in Impala, to execute a UDF, a user only has to be > granted one of the 3 privileges in {{{}INSERT{}}}, {{{}SELECT{}}}, > {{REFRESH}} on the database (i.e., the {{VIEW_METADATA}} privilege on the > database) where the UDF was created. No additional privilege on the UDF is > required. An example of the policy added via Ranger's web UI allowing a user > to execute a UDF is also provided here. > !ranger_policy_for_udfs_impala.png! > The privilege request of {{VIEW_METADATA}} on the database is registered > within [analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA, > true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557]. > This is the reason why the user has to be granted the VIEW_METADATA > privilege on the database to be able to execute the UDF. > Recall that the registration of the privilege mentioned above occurs in > [FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531] > where Impala's frontend analyzes the given function in a query. > I noticed in the same method above at > [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535], > Impala is able to determine whether the current function is a UDF or not. > Thus it seems that to fix the problem, we need to additionally register the > corresponding privilege request for a UDF (v.s. a built-in function) other > than the {{VIEW_METADATA}} privilege on the database. > We should thus provide a fix for the issue. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org