[ https://issues.apache.org/jira/browse/IMPALA-8921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16925006#comment-16925006 ]
ASF subversion and git services commented on IMPALA-8921: --------------------------------------------------------- Commit 521b15293eaeef6d02917ce20569275adcbd0802 in impala's branch refs/heads/master from Bharath Vissapragada [ https://gitbox.apache.org/repos/asf?p=impala.git;h=521b152 ] IMPALA-8921: Use short name for Ranger grant/revoke requests For certain grant/revoke Ranger commmands, we ended up passing the full name which is a problem when kerberos is enabled. Ranger expects the short name during authorization. Testing: We do not have test coverage with kerberos enabled, so I inspected the code manually to make sure we are using getShortName() everywhere. Change-Id: I3dc1bf55d50dc2e5fa6e07f16644f0a2773f2d23 Reviewed-on: http://gerrit.cloudera.org:8080/14185 Reviewed-by: Bharath Vissapragada <bhara...@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> > Use kerberos short name for ranger requests. > -------------------------------------------- > > Key: IMPALA-8921 > URL: https://issues.apache.org/jira/browse/IMPALA-8921 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Frontend > Affects Versions: Impala 3.2.0, Impala 3.3.0 > Reporter: bharath v > Assignee: bharath v > Priority: Blocker > > For certain grant/revoke requests, we are using the full name, which is a > fully qualified user principal. > {noformat} > @Override > public void grantPrivilegeToUser(TCatalogServiceRequestHeader header, > TGrantRevokePrivParams params, TDdlExecResponse response) throws > ImpalaException { > List<GrantRevokeRequest> requests = createGrantRevokeRequests( > ====> header.getRequesting_user(), true, params.getPrincipal_name(), > Collections.emptyList(), plugin_.get().getClusterName(), > header.getClient_ip(), params.getPrivileges()); > @Override > public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header, > TGrantRevokePrivParams params, TDdlExecResponse response) throws > ImpalaException { > List<GrantRevokeRequest> requests = createGrantRevokeRequests( > ====> header.getRequesting_user(), false, params.getPrincipal_name(), > Collections.emptyList(), plugin_.get().getClusterName(), > header.getClient_ip(), params.getPrivileges()); > @Override > public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header, > TGrantRevokePrivParams params, TDdlExecResponse response) throws > ImpalaException { > List<GrantRevokeRequest> requests = createGrantRevokeRequests( > =>>> header.getRequesting_user(), true, null, > Collections.singletonList(params.getPrincipal_name()), > plugin_.get().getClusterName(), header.getClient_ip(), > params.getPrivileges()); > @Override > public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header, > TGrantRevokePrivParams params, TDdlExecResponse response) throws > ImpalaException { > List<GrantRevokeRequest> requests = createGrantRevokeRequests( > ===> header.getRequesting_user(), false, null, > Collections.singletonList(params.getPrincipal_name()), > plugin_.get().getClusterName(), header.getClient_ip(), > params.getPrivileges()); > {noformat} > Ranger expects a short name instead. The bug existed since the original > implementation [1], but the code has been later refactored. > [1] https://gerrit.cloudera.org/#/c/12914/ -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org