[jira] [Resolved] (IMPALA-10986) Specific privilege should be required to execute a UDF in Impala

Fri, 20 Jan 2023 14:13:07 -0800 


     [ 
https://issues.apache.org/jira/browse/IMPALA-10986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fang-Yu Rao resolved IMPALA-10986.
----------------------------------
    Fix Version/s: Impala 4.3.0
       Resolution: Fixed

Resolve this JIRA since the fix has been merged.

> Specific privilege should be required to execute a UDF in Impala
> ----------------------------------------------------------------
>
>                 Key: IMPALA-10986
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10986
>             Project: IMPALA
>          Issue Type: Bug
>    Affects Versions: Impala 4.0.0
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>             Fix For: Impala 4.3.0
>
>         Attachments: ranger_policy_for_udfs_impala.png
>
>
> We found that currently in Impala, to execute a UDF, a user only has to be 
> granted one of the 3 privileges in {{{}INSERT{}}}, {{{}SELECT{}}}, 
> {{REFRESH}} on the database (i.e., the {{VIEW_METADATA}} privilege on the 
> database) where the UDF was created. No additional privilege on the UDF is 
> required. An example of the policy added via Ranger's web UI allowing a user 
> to execute a UDF is also provided here.
> !ranger_policy_for_udfs_impala.png!
> The privilege request of {{VIEW_METADATA}} on the database is registered 
> within [analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA, 
> true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557].
>  This is the reason why the user has to be granted the VIEW_METADATA 
> privilege on the database to be able to execute the UDF.
> Recall that the registration of the privilege mentioned above occurs in 
> [FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531]
>  where Impala's frontend analyzes the given function in a query.
> I noticed in the same method above at 
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535],
>  Impala is able to determine whether the current function is a UDF or not. 
> Thus it seems that to fix the problem, we need to additionally register the 
> corresponding privilege request for a UDF (v.s. a built-in function) other 
> than the {{VIEW_METADATA}} privilege on the database.
> We should thus provide a fix for the issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to