[
https://issues.apache.org/jira/browse/IMPALA-14954?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-14954:
---------------------------------
Description:
Apache Hive supports the {{WITH ADMIN OPTION}} clause for the GRANT ROLE
statement as shown at
[https://hive.apache.org/docs/latest/language/sql-standard-based-hive-authorization/#:~:text=GRANT%20role_name%20%5B%2C%20role_name%5D%20...%0ATO%20principal_specification%20%5B%2C%20principal_specification%5D%20...%20%0A%5B%20WITH%20ADMIN%20OPTION%20%5D%3B.]
This allows users/groups assigned a role with "{{{}WITH ADMIN OPTION{}}}" to
grant/revoke the same role to/from other users/groups, and hence could
decentralize the role management. We should do this too in Apache Impala.
I briefly verified that to delegate the role management of a role to a grantee,
it suffices to add the following after
[https://github.com/apache/impala/blob/a44f72d/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java#L566]
when constructing the corresponding {{{}GrantRevokeRoleRequest{}}}.
{code:java}
request.setGrantOption(true);
{code}
was:
Apache Hive supports the {{WITH ADMIN OPTION}} clause for the GRANT ROLE
statement as shown at
[https://hive.apache.org/docs/latest/language/sql-standard-based-hive-authorization/#:~:text=GRANT%20role_name%20%5B%2C%20role_name%5D%20...%0ATO%20principal_specification%20%5B%2C%20principal_specification%5D%20...%20%0A%5B%20WITH%20ADMIN%20OPTION%20%5D%3B.]
This allows users/groups assigned a role with "{{WITH ADMIN OPTION}}" to
grant/revoke the same role to/from other users/groups, and could decentralize
the role management. We should do this too in Apache Impala.
> Support the WITH ADMIN OPTION clause for granting roles
> -------------------------------------------------------
>
> Key: IMPALA-14954
> URL: https://issues.apache.org/jira/browse/IMPALA-14954
> Project: IMPALA
> Issue Type: Task
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Apache Hive supports the {{WITH ADMIN OPTION}} clause for the GRANT ROLE
> statement as shown at
> [https://hive.apache.org/docs/latest/language/sql-standard-based-hive-authorization/#:~:text=GRANT%20role_name%20%5B%2C%20role_name%5D%20...%0ATO%20principal_specification%20%5B%2C%20principal_specification%5D%20...%20%0A%5B%20WITH%20ADMIN%20OPTION%20%5D%3B.]
>
> This allows users/groups assigned a role with "{{{}WITH ADMIN OPTION{}}}" to
> grant/revoke the same role to/from other users/groups, and hence could
> decentralize the role management. We should do this too in Apache Impala.
>
> I briefly verified that to delegate the role management of a role to a
> grantee, it suffices to add the following after
> [https://github.com/apache/impala/blob/a44f72d/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java#L566]
> when constructing the corresponding {{{}GrantRevokeRoleRequest{}}}.
> {code:java}
> request.setGrantOption(true);
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
