[jira] [Updated] (IMPALA-12578) Pass the owner user to the Ranger plug-in in GRANT and REVOKE statements

[Fang-Yu Rao (Jira)]

     [ 
https://issues.apache.org/jira/browse/IMPALA-12578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fang-Yu Rao updated IMPALA-12578:
---------------------------------
    Description: 
Starting from RANGER-1200, Ranger supports the notion of the OWNER user, which 
allows each user to perform any operation on the resources owned by it. This 
avoids the need for creating a new policy that grants the OWNER user the 
privileges on every newly created  resource. Refer to 
[apache-ranger-policy-model|https://blogsarchive.apache.org/ranger/entry/apache-ranger-policy-model#:~:text=allow%20each%20user%20to%20access%20all,all].

Currently for the GRANT and REVOKE statements, Impala does not pass the owner 
of the resource to the Ranger plug-in and thus a non-administrative user could 
not grant/revoke privileges on a resource to/from another user even though this 
non-administrative user owns the resource. We should pass the ownership 
information to the Ranger plug-in to make authorization management easier in 
Impala.

  was:
Starting from RANGER-1200, Ranger supports the notion of the OWNER user, which 
allows each user to perform any operation on the resources owned by them. This 
avoids the need for creating a new policy that grants the OWNER user the 
privileges on every newly created  resource. Refer to 
[apache-ranger-policy-model|https://blogsarchive.apache.org/ranger/entry/apache-ranger-policy-model#:~:text=allow%20each%20user%20to%20access%20all,all].

Currently for the GRANT and REVOKE statements, Impala does not pass the owner 
of the resource to the Ranger plug-in and thus a non-administrative user could 
not grant/revoke privileges on a resource to/from another user even though this 
non-administrative user owns the resource. We should pass the ownership 
information to the Ranger plug-in to make authorization management easier in 
Impala.


> Pass the owner user to the Ranger plug-in in GRANT and REVOKE statements
> ------------------------------------------------------------------------
>
>                 Key: IMPALA-12578
>                 URL: https://issues.apache.org/jira/browse/IMPALA-12578
>             Project: IMPALA
>          Issue Type: New Feature
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> Starting from RANGER-1200, Ranger supports the notion of the OWNER user, 
> which allows each user to perform any operation on the resources owned by it. 
> This avoids the need for creating a new policy that grants the OWNER user the 
> privileges on every newly created  resource. Refer to 
> [apache-ranger-policy-model|https://blogsarchive.apache.org/ranger/entry/apache-ranger-policy-model#:~:text=allow%20each%20user%20to%20access%20all,all].
> Currently for the GRANT and REVOKE statements, Impala does not pass the owner 
> of the resource to the Ranger plug-in and thus a non-administrative user 
> could not grant/revoke privileges on a resource to/from another user even 
> though this non-administrative user owns the resource. We should pass the 
> ownership information to the Ranger plug-in to make authorization management 
> easier in Impala.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org