Hello Quanlong Huang, Riza Suminto, Noemi Pap-Takacs, Csaba Ringhofer, Impala
Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/23569
to look at the new patch set (#14).
Change subject: IMPALA-14507: Register column-level privilege requests for
INSERT
......................................................................
IMPALA-14507: Register column-level privilege requests for INSERT
This patch registers column-level privilege requests for columns
involved in the INSERT statement so that the requesting user does not
need to be granted the INSERT privilege on the entire table. This would
be helpful in the case when different users are allowed to insert data
into different sets of columns in the same table.
This would also allow an administrator to add deny polices on columns
against a user if we would like to prevent the user from inserting data
into the specified columns.
Testing:
- Added frontend and end-to-end tests to verify that
a) we register column-level privilege requests in the INSERT
statement in addition to the table-level one,
b) a user is not allowed to insert data into a column of a table
if there is a deny policy defined on the column against the user,
even though the user was already granted the INSERT privilege on
the table,
c) a user is not allowed to insert data into a column if there is a
column masking policy defined on any column of the same table,
even though the user was already granted the INSERT privilege on
the table (RANGER-1087 and IMPALA-10554),
d) a user is allowed to insert data into a set of columns of a table
as long as the user was granted the INSERT privileges on those
columns given that there is no deny policy on those columns and
no column masking policy on any column of the same table,
e) column-level Ranger audit events could be produced after the
introduction of column-level INSERT privilege,
f) we are able to grant, revoke column-level INSERT privileges via
the catalog server, and show column-level INSERT privileges via a
coordinator.
Change-Id: I2ef61801d3b394c56702b193c250492a62b111df
---
M fe/src/main/java/org/apache/impala/analysis/InsertStmt.java
M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java
M fe/src/main/java/org/apache/impala/authorization/AuthorizableColumn.java
M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationContext.java
M fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M
fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
M tests/authorization/test_ranger.py
12 files changed, 783 insertions(+), 125 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/69/23569/14
--
To view, visit http://gerrit.cloudera.org:8080/23569
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I2ef61801d3b394c56702b193c250492a62b111df
Gerrit-Change-Number: 23569
Gerrit-PatchSet: 14
Gerrit-Owner: Fang-Yu Rao <[email protected]>
Gerrit-Reviewer: Csaba Ringhofer <[email protected]>
Gerrit-Reviewer: Fang-Yu Rao <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Noemi Pap-Takacs <[email protected]>
Gerrit-Reviewer: Quanlong Huang <[email protected]>
Gerrit-Reviewer: Riza Suminto <[email protected]>
