Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/23569 )
Change subject: IMPALA-14507: Register column-level privilege requests for INSERT ...................................................................... Patch Set 17: In patch set 17, I revised the Preconditions check in BaseAuthorizationChecker.java in patch set 16 to make the check a little bit relaxed so that we would allow the case where a column-level privilege request could be registered before its respective table-level privilege request. I also changed the following line in CreateTableAsSelectStmt.java from "FeDb db = analyzer.getDb(createStmt_.getDb(), Privilege.ANY);" to "FeDb db = analyzer.getDb(createStmt_.getDb(), /* throwIfDoesNotExist */ false);". The previous statement would register a AuthorizableColumn for a wildcard column name "<db_name>.*.*" with privilege being ANY. But we don't really register a AuthorizableTable for "<db_name>.*". It's not entirely clear to me if registering this ANY privilege is required. I also triggered https://jenkins.impala.io/job/gerrit-verify-dryrun-external/3335/ against patch set 17 so we could have an idea about whether the latest Preconditions check would cause any regression. I feel like we are opening a can of worms here. -- To view, visit http://gerrit.cloudera.org:8080/23569 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I2ef61801d3b394c56702b193c250492a62b111df Gerrit-Change-Number: 23569 Gerrit-PatchSet: 17 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Noemi Pap-Takacs <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Reviewer: Riza Suminto <[email protected]> Gerrit-Comment-Date: Thu, 08 Jan 2026 23:27:16 +0000 Gerrit-HasComments: No
