[
https://issues.apache.org/jira/browse/IMPALA-12291?focusedWorklogId=871533&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-871533
]
ASF GitHub Bot logged work on IMPALA-12291:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 18/Jul/23 11:50
Start Date: 18/Jul/23 11:50
Worklog Time Spent: 10m
Work Description: HalimKim opened a new pull request, #54:
URL: https://github.com/apache/impala/pull/54
### Related Issue
* https://issues.apache.org/jira/projects/IMPALA/issues/IMPALA-12291
### Description
* When HDFS is ranger enabled, current impala fe doesn't check ranger policy
but hadoop inode permission
* New feature adds getAvailableAccessLevel() method ranger check code using
Hadoop API
* Add one more catch in getTExecRequest() method to check AnalysisException
### Test
* Manual Test done
* Distribute impala fe jar for impalad and catalogd
* Enable HDFS Ranger Plugin.
* Give impala Allow condition for ranger hdfs policy and check insert
query - Insert Success
* Give impala Deny condition for ranger hdfs policy and check insert query
- Insert Fail
Issue Time Tracking
-------------------
Worklog Id: (was: 871533)
Remaining Estimate: 0h
Time Spent: 10m
> Insert statement fails even if hdfs ranger policy allows it
> -----------------------------------------------------------
>
> Key: IMPALA-12291
> URL: https://issues.apache.org/jira/browse/IMPALA-12291
> Project: IMPALA
> Issue Type: Bug
> Components: fe, Security
> Environment: - Impala Version (4.1.0)
> - Ranger admin version (2.0)
> - Hive version (3.1.2)
> Reporter: halim kim
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Apache Ranger is framework for providing security and authorization in hadoop
> platform.
> Impala can also utilize apache ranger via ranger hive policy.
> The thing is that insert or some other query is not executed even If you
> enable ranger hdfs plugin and set proper allow condition for impala query
> excuting.
> you can see error log like below.
> {code:java}
> AnalysisException: Unable to INSERT into target table (testdb.testtable)
> because Impala does not have WRITE access to HDFS location:
> hdfs://testcluster/warehouse/testdb.db/testtable
> {code}
> This happens when ranger hdfs plugin is enabled but impala doesn't have
> permission for hdfs POSIX permission.
> For example, In the case that DB file owner, group and permission is set as
> hdfs:hdfs r-xr-xr-- and ranger plugin policy(hdfs, hive and impala) allows
> impala to execute query, Insert Query will be fail.
> In my opinion, The main cause is impala fe component doesn't check ranger
> policy but hdfs POSIX model permissions.
> Similar issue : https://issues.apache.org/jira/browse/IMPALA-10272
> I'm working on resolving this issue by adding hdfs ranger policy checking
> code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
