[
https://issues.apache.org/jira/browse/IMPALA-14507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-14507:
---------------------------------
Description:
Currently Impala requires a requesting user to have the INSERT privilege on the
table, if the requesting user wants to insert a row into a table, even when the
requesting user only wants to insert values into some but not all columns in
the target table. For instance, consider the following query. It may be less
restrictive from a user's perspective, if the requesting user only needs the
INSERT privileges on the columns 'id', 'month', and 'year', but not other
columns, e.g., 'bool_col'.
{code:java}
insert into functional.alltypestiny(id, month, year) values (123, 1, 2025);
{code}
This especially makes sense in the cases where different users insert data into
different columns of the same table. For instance, when the target table is a
Kudu table that has the following columns. It's possible that a user is taking
care of updating the values of the columns 'bool_col' and 'tinyint_col',
whereas the other use is taking care of updating the values of the columns
'month' and 'year'.
{code:java}
+-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
| name | type | comment | primary_key | key_unique | nullable |
default_value | encoding | compression | block_size |
+-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
| id | int | | true | true | false |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| bool_col | boolean | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| tinyint_col | tinyint | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| smallint_col | smallint | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| int_col | int | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| bigint_col | bigint | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| float_col | float | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| double_col | double | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| date_string_col | string | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| string_col | string | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| timestamp_col | timestamp | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| year | int | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| month | int | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
+-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
{code}
On the other hand, for non-Kudu tables, it looks like Impala does not support
updating different subsets of columns of a target table separately, and thus it
may be okay that we require the INSERT privilege on the whole target table to
insert data into a table.
was:
Currently Impala requires a requesting user to have the INSERT privilege on the
table, if the requesting user wants to insert a row into a table, even when the
requesting user only wants to insert values into some but not all columns in
the target table. For instance, consider the following query. It may be less
restrictive from a user's perspective, if the requesting user only needs the
INSERT privileges on the columns 'id', 'month', and 'year', but not other
columns, e.g., 'bool_col'.
{code:java}
insert into functional.alltypestiny(id, month, year) values (123, 1, 2025);
{code}
This especially makes sense in the cases where different users insert values
into different columns of the same table. For instance, when the target table
is a Kudu table that has the following columns. It's possible that a user is
taking care of updating the values of the columns 'bool_col' and 'tinyint_col',
whereas the other use is taking care of updating the values of the columns
'month' and 'year'.
{code:java}
+-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
| name | type | comment | primary_key | key_unique | nullable |
default_value | encoding | compression | block_size |
+-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
| id | int | | true | true | false |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| bool_col | boolean | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| tinyint_col | tinyint | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| smallint_col | smallint | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| int_col | int | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| bigint_col | bigint | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| float_col | float | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| double_col | double | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| date_string_col | string | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| string_col | string | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| timestamp_col | timestamp | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| year | int | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
| month | int | | false | | true |
| AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
+-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
{code}
On the other hand, for non-Kudu tables, it looks like Impala does not support
updating different subsets of columns of a target table separately, and thus it
may be okay that we require the INSERT privilege on the whole target table to
insert data into a table.
> Consider lowering the privileges required for inserting data into a table
> -------------------------------------------------------------------------
>
> Key: IMPALA-14507
> URL: https://issues.apache.org/jira/browse/IMPALA-14507
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Minor
>
> Currently Impala requires a requesting user to have the INSERT privilege on
> the table, if the requesting user wants to insert a row into a table, even
> when the requesting user only wants to insert values into some but not all
> columns in the target table. For instance, consider the following query. It
> may be less restrictive from a user's perspective, if the requesting user
> only needs the INSERT privileges on the columns 'id', 'month', and 'year',
> but not other columns, e.g., 'bool_col'.
> {code:java}
> insert into functional.alltypestiny(id, month, year) values (123, 1, 2025);
> {code}
>
> This especially makes sense in the cases where different users insert data
> into different columns of the same table. For instance, when the target table
> is a Kudu table that has the following columns. It's possible that a user is
> taking care of updating the values of the columns 'bool_col' and
> 'tinyint_col', whereas the other use is taking care of updating the values of
> the columns 'month' and 'year'.
> {code:java}
> +-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
> | name | type | comment | primary_key | key_unique | nullable
> | default_value | encoding | compression | block_size |
> +-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
> | id | int | | true | true | false
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | bool_col | boolean | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | tinyint_col | tinyint | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | smallint_col | smallint | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | int_col | int | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | bigint_col | bigint | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | float_col | float | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | double_col | double | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | date_string_col | string | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | string_col | string | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | timestamp_col | timestamp | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | year | int | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> | month | int | | false | | true
> | | AUTO_ENCODING | DEFAULT_COMPRESSION | 0 |
> +-----------------+-----------+---------+-------------+------------+----------+---------------+---------------+---------------------+------------+
> {code}
> On the other hand, for non-Kudu tables, it looks like Impala does not support
> updating different subsets of columns of a target table separately, and thus
> it may be okay that we require the INSERT privilege on the whole target table
> to insert data into a table.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
