[
https://issues.apache.org/jira/browse/IMPALA-10211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17795200#comment-17795200
]
ASF subversion and git services commented on IMPALA-10211:
----------------------------------------------------------
Commit d9c067aa89313547c1d8dbf3840ebe308726f8c3 in impala's branch
refs/heads/master from jichen0919
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=d9c067aa8 ]
IMPALA-12398: Fix Ranger role not exists when altering db/table/view owner to a
role
When Role '<ROLE_NAME>' is created with Ranger authorization enabled,
if 'ALTER TABLE <TABLE_NAME> SET OWNER ROLE <ROLE_NAME>' statement is
executed to assign role as the owner of the table, it will throw
AnalysisException:Role '<ROLE_NAME>' does not exist.
Before this patch, given the ALTER DATABASE/TABLE/VIEW SET OWNER ROLE
statement, Impala always checked the existence of the given role in
its AuthorizationPolicy. However, when the support for role-related
statements with Ranger was added in IMPALA-10211, we only added the
roles in RangerImpalaPlugin instead of AuthorizationPolicy.
Therefore, the statement above would fail even though an authorized
user tries to set the owner to an existing role in RangerImpalaPlugin.
This patch will directly use ranger impala plugin to check the
existence of the role, instead of using AuthorizationPolicy object.
Tests:
- Pass unit tests. test method testAlterView in AuthorizationStmtTest
is updated accordingly.
- Pass e2e tests. test method _test_ownership in test_ranger.py is
updated to cover the new implementation.
- Pass core tests with ranger enabled.
Change-Id: I2b029bdb90111dbd0eab5189360cc81090225cda
Reviewed-on: http://gerrit.cloudera.org:8080/20508
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
> Add support for role-related statements
> ---------------------------------------
>
> Key: IMPALA-10211
> URL: https://issues.apache.org/jira/browse/IMPALA-10211
> Project: IMPALA
> Issue Type: New Feature
> Components: Frontend, Security
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
> Labels: backwards-compatibility
>
> After IMPALA-9708, we dropped the support for Sentry, an authorization
> service providing role-based authorization. Since then Impala lacks support
> for role-based authorization.
> On the other hand, after RANGER-2425, Ranger added APIs for role-related SQL
> statements. It would be nice to enable role-related SQL statements in Impala
> with Ranger being the authorization provider so that users that were using
> Sentry as the authorization provider could still be using Impala if
> role-based authorization is required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
