[
https://issues.apache.org/jira/browse/IMPALA-13767?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18017940#comment-18017940
]
ASF subversion and git services commented on IMPALA-13767:
----------------------------------------------------------
Commit 0b9e2b2cd1ea48da676bd09b9c0f30e7d464f84a in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=0b9e2b2cd ]
IMPALA-13011: Support authorization for Calcite in Impala
This patch adds support for authorization when Calcite is the planner.
Specifically, this patch focuses on the authorization of table-level
and column-level privilege requests, including the case when a table
is a regular view, whether the view was created by a superuser. Note
that CalciteAnalysisDriver would throw an exception from analysis() if
given a query that requires table masking, i.e., column masking or row
filtering, since this feature is not yet supported by the Calcite
planner.
Moreover, we register the VIEW_METADATA privilege for each function
involved in the given query. We hardcode the database associated with
the function to 'BuiltinsDb', which is a bit hacky. We should not be
doing this once each function could be associated with a database when
we are using the Calcite planner. We may need to change Calcite's
parser for this.
The issue reported in IMPALA-13767 will be taken care of in another
separate patch and hence this patch could incorrectly register the
privilege request for a common table expression (CTE) in a WITH
clause, preventing a legitimate user from executing a query involving
CTE's.
Testing:
- We manually verified that the patch could pass the test cases in
AuthorizationStmtTest#testPrivilegeRequests() except for
"with t as (select * from alltypes) select * from t", for which
the fix will be provided via IMPALA-13767.
- Added various tests in test_ranger.py.
Change-Id: I9a7f7e4dc9a86a2da9e387832e552538e34029c1
Reviewed-on: http://gerrit.cloudera.org:8080/22716
Reviewed-by: Riza Suminto <[email protected]>
Reviewed-by: Michael Smith <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Common table expression (CTE) in a WITH clause should not be treated as a
> table by TableVisitor for the Calcite planner
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-13767
> URL: https://issues.apache.org/jira/browse/IMPALA-13767
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Currently for the Calcite planner in Impala, a temporary table associated
> with a WITH clause is treated as a table by {{TableVisitor}} in
> [CalciteMetadataHandler.java|https://github.com/apache/impala/blob/master/java/calcite-planner/src/main/java/org/apache/impala/calcite/service/CalciteMetadataHandler.java].
>
> For instance, after the execution of
> "{{{}parsedNode.accept(tableVisitor){}}}" in CalciteMetadataHandler.java,
> '{{{}tableVisitor.tableNames_{}}}' evaluates to a {{HashSet}} consisting of
> the table names "{{{}default.t{}}}" and "{{{}functional.alltypestiny{}}}" for
> the following query. It would be better if "{{{}default.t{}}}" is not
> considered as the name of a table involved in the query when we are visiting
> the {{SqlNode}}.
> {code:java}
> with t as (select * from functional.alltypestiny) select * from t;
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
