Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/22716 )
Change subject: IMPALA-13011: Support authorization for Calcite in Impala ...................................................................... IMPALA-13011: Support authorization for Calcite in Impala This patch adds support for authorization when Calcite is the planner. Specifically, this patch focuses on the authorization of table-level and column-level privilege requests, including the case when a table is a regular view, whether the view was created by a superuser. Note that CalciteAnalysisDriver would throw an exception from analysis() if given a query that requires table masking, i.e., column masking or row filtering, since this feature is not yet supported by the Calcite planner. Moreover, we register the VIEW_METADATA privilege for each function involved in the given query. We hardcode the database associated with the function to 'BuiltinsDb', which is a bit hacky. We should not be doing this once each function could be associated with a database when we are using the Calcite planner. We may need to change Calcite's parser for this. The issue reported in IMPALA-13767 will be taken care of in another separate patch and hence this patch could incorrectly register the privilege request for a common table expression (CTE) in a WITH clause, preventing a legitimate user from executing a query involving CTE's. Testing: - We manually verified that the patch could pass the test cases in AuthorizationStmtTest#testPrivilegeRequests() except for "with t as (select * from alltypes) select * from t", for which the fix will be provided via IMPALA-13767. - Added various tests in test_ranger.py. Change-Id: I9a7f7e4dc9a86a2da9e387832e552538e34029c1 Reviewed-on: http://gerrit.cloudera.org:8080/22716 Reviewed-by: Riza Suminto <[email protected]> Reviewed-by: Michael Smith <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M fe/src/main/java/org/apache/impala/analysis/ParsedStatement.java M fe/src/main/java/org/apache/impala/analysis/ParsedStatementImpl.java M fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java M java/calcite-planner/src/main/java/org/apache/impala/calcite/schema/CalciteDb.java A java/calcite-planner/src/main/java/org/apache/impala/calcite/schema/ImpalaViewTable.java M java/calcite-planner/src/main/java/org/apache/impala/calcite/service/CalciteAnalysisDriver.java M java/calcite-planner/src/main/java/org/apache/impala/calcite/service/CalciteParsedStatement.java A java/calcite-planner/src/main/java/org/apache/impala/calcite/service/ImpalaSqlValidatorImpl.java M tests/authorization/test_ranger.py 11 files changed, 594 insertions(+), 15 deletions(-) Approvals: Riza Suminto: Looks good to me, but someone else must approve Michael Smith: Looks good to me, approved Impala Public Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/22716 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I9a7f7e4dc9a86a2da9e387832e552538e34029c1 Gerrit-Change-Number: 22716 Gerrit-PatchSet: 24 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Joe McDonnell <[email protected]> Gerrit-Reviewer: Michael Smith <[email protected]> Gerrit-Reviewer: Riza Suminto <[email protected]> Gerrit-Reviewer: Steve Carlin <[email protected]>
