[
https://issues.apache.org/jira/browse/IMPALA-13011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18017939#comment-18017939
]
ASF subversion and git services commented on IMPALA-13011:
----------------------------------------------------------
Commit 0b9e2b2cd1ea48da676bd09b9c0f30e7d464f84a in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=0b9e2b2cd ]
IMPALA-13011: Support authorization for Calcite in Impala
This patch adds support for authorization when Calcite is the planner.
Specifically, this patch focuses on the authorization of table-level
and column-level privilege requests, including the case when a table
is a regular view, whether the view was created by a superuser. Note
that CalciteAnalysisDriver would throw an exception from analysis() if
given a query that requires table masking, i.e., column masking or row
filtering, since this feature is not yet supported by the Calcite
planner.
Moreover, we register the VIEW_METADATA privilege for each function
involved in the given query. We hardcode the database associated with
the function to 'BuiltinsDb', which is a bit hacky. We should not be
doing this once each function could be associated with a database when
we are using the Calcite planner. We may need to change Calcite's
parser for this.
The issue reported in IMPALA-13767 will be taken care of in another
separate patch and hence this patch could incorrectly register the
privilege request for a common table expression (CTE) in a WITH
clause, preventing a legitimate user from executing a query involving
CTE's.
Testing:
- We manually verified that the patch could pass the test cases in
AuthorizationStmtTest#testPrivilegeRequests() except for
"with t as (select * from alltypes) select * from t", for which
the fix will be provided via IMPALA-13767.
- Added various tests in test_ranger.py.
Change-Id: I9a7f7e4dc9a86a2da9e387832e552538e34029c1
Reviewed-on: http://gerrit.cloudera.org:8080/22716
Reviewed-by: Riza Suminto <[email protected]>
Reviewed-by: Michael Smith <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Support Ranger Authorization for Calcite Planner.
> -------------------------------------------------
>
> Key: IMPALA-13011
> URL: https://issues.apache.org/jira/browse/IMPALA-13011
> Project: IMPALA
> Issue Type: Sub-task
> Reporter: Steve Carlin
> Assignee: Fang-Yu Rao
> Priority: Major
>
> There is a reference to the Authorization instance in CalcitePhysPlanCreator
> in order to instantiate the Analyzer object.
> Authorization needs to happen earlier. This should be refactored so it is
> not referenced in this part of the code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
