[
https://issues.apache.org/jira/browse/IMPALA-8587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17022635#comment-17022635
]
Fang-Yu Rao edited comment on IMPALA-8587 at 1/24/20 5:29 AM:
--------------------------------------------------------------
Two proposed patches are available. One is the patch authored by [~anobis] at
[https://gerrit.cloudera.org/c/13673/] and the other by [~fangyurao] at
[https://gerrit.cloudera.org/c/14356/4].
The main difference between these 2 patches is that the former provides more
information in the result when a user issues a query looking for the privileges
granted to a specified user. For example, suppose that a user has issued the
SQL statement {{grant all on server to user fangyurao}}. If this user then
issues {{show grant user fangyurao on database functional}}, the former
approach would produce the following.
{code:java}
Query: show grant user fangyurao on database functional
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf |
privilege | grant_option | create_time |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | * | | | | * | all
| false | 1579808605799 |
| USER | fangyurao | * | * | * | | | all
| false | 1579808605466 |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
{code}
It can be seen that the result also indicates that the specified user, i.e.,
{{fangyurao}} in this case is also granted all the privileges of ALL the
databases.
On the other hand, the latter approach would output the following, which
indicates that the specified user is granted privileges of all the tables and
columns of the database {{functional}}.
{code:java}
Query: show grant user fangyurao on database functional
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf |
privilege | grant_option | create_time |
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | functional | | | | * |
all | false | 1579808246841 |
| USER | fangyurao | functional | * | * | | |
all | false | 1579808246554 |
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
{code}
Both approaches are correct in my view since both fix the issue of not
displaying the granted privileges correctly. But in terms of bug fixing, I
think the patch of the latter approach is easier to understand (which can be
seen from
[https://gerrit.cloudera.org/c/13673/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#339]
that [~fredyw] cannot understand the logic in the former approach at first
glance).
In case we decide to adopt the latter approach, I could also create a JIRA that
adopts the former approach that provides a user with more information.
was (Author: fangyurao):
Two proposed patches are available. One is the patch authored by [~anobis] at
[https://gerrit.cloudera.org/c/13673/] and the other by [~fangyurao] at
[https://gerrit.cloudera.org/c/14356/4].
The main difference between these 2 patches is that the former provides more
information in the result when a user issues a query looking for the privileges
granted to a specified user. For example, suppose that a user has issued the
SQL statement {{grant all on server to user fangyurao}}. If this user then
issues {{show grant user fangyurao on database functional}}, the former
approach would produce the following.
{code:java}
Query: show grant user fangyurao on database functional
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf |
privilege | grant_option | create_time |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | * | | | | * | all
| false | 1579808605799 |
| USER | fangyurao | * | * | * | | | all
| false | 1579808605466 |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
{code}
It can be seen that the result also indicates that the specified user, i.e.,
{{fangyurao}} in this case is also granted all the privileges of ALL the
databases.
On the other hand, the latter approach would output the following, which
indicates that the specified user is granted privileges of all the tables and
columns of the database {{functional}}.
{code:java}
Query: show grant user fangyurao on database functional
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf |
privilege | grant_option | create_time |
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | functional | | | | * |
all | false | 1579808246841 |
| USER | fangyurao | functional | * | * | | |
all | false | 1579808246554 |
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
{code}
Both approaches are correct in my view since both fix the issue of not
displaying the granted privileges correctly. But in terms of bug fixing, I
think the patch of the latter approach is easier to understand (which can be
seen from
[https://gerrit.cloudera.org/c/13673/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#339]
that [~fredyw] cannot understand the logic in the former approach at first
glance).
In case we decide to adopt the latter approach, I could also create a JIRA that
adopts the former approach that provides a user more information.
> Show inherited privileges in show grant w/ Ranger
> -------------------------------------------------
>
> Key: IMPALA-8587
> URL: https://issues.apache.org/jira/browse/IMPALA-8587
> Project: IMPALA
> Issue Type: Sub-task
> Components: Frontend
> Reporter: Austin Nobis
> Assignee: Fang-Yu Rao
> Priority: Critical
>
> If an admin has privileges from:
> *grant all on server to user admin;*
>
> Currently the command below will show no results:
> *show grant user admin on database functional;*
>
> After the change, the user should see server level privileges from:
> *show grant user admin on database functional;*
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
