[ https://issues.apache.org/jira/browse/IMPALA-10211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17795200#comment-17795200 ]
ASF subversion and git services commented on IMPALA-10211: ---------------------------------------------------------- Commit d9c067aa89313547c1d8dbf3840ebe308726f8c3 in impala's branch refs/heads/master from jichen0919 [ https://gitbox.apache.org/repos/asf?p=impala.git;h=d9c067aa8 ] IMPALA-12398: Fix Ranger role not exists when altering db/table/view owner to a role When Role '<ROLE_NAME>' is created with Ranger authorization enabled, if 'ALTER TABLE <TABLE_NAME> SET OWNER ROLE <ROLE_NAME>' statement is executed to assign role as the owner of the table, it will throw AnalysisException:Role '<ROLE_NAME>' does not exist. Before this patch, given the ALTER DATABASE/TABLE/VIEW SET OWNER ROLE statement, Impala always checked the existence of the given role in its AuthorizationPolicy. However, when the support for role-related statements with Ranger was added in IMPALA-10211, we only added the roles in RangerImpalaPlugin instead of AuthorizationPolicy. Therefore, the statement above would fail even though an authorized user tries to set the owner to an existing role in RangerImpalaPlugin. This patch will directly use ranger impala plugin to check the existence of the role, instead of using AuthorizationPolicy object. Tests: - Pass unit tests. test method testAlterView in AuthorizationStmtTest is updated accordingly. - Pass e2e tests. test method _test_ownership in test_ranger.py is updated to cover the new implementation. - Pass core tests with ranger enabled. Change-Id: I2b029bdb90111dbd0eab5189360cc81090225cda Reviewed-on: http://gerrit.cloudera.org:8080/20508 Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> > Add support for role-related statements > --------------------------------------- > > Key: IMPALA-10211 > URL: https://issues.apache.org/jira/browse/IMPALA-10211 > Project: IMPALA > Issue Type: New Feature > Components: Frontend, Security > Reporter: Fang-Yu Rao > Assignee: Fang-Yu Rao > Priority: Major > Labels: backwards-compatibility > > After IMPALA-9708, we dropped the support for Sentry, an authorization > service providing role-based authorization. Since then Impala lacks support > for role-based authorization. > On the other hand, after RANGER-2425, Ranger added APIs for role-related SQL > statements. It would be nice to enable role-related SQL statements in Impala > with Ranger being the authorization provider so that users that were using > Sentry as the authorization provider could still be using Impala if > role-based authorization is required. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org