[
https://issues.apache.org/jira/browse/IMPALA-14507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18056867#comment-18056867
]
ASF subversion and git services commented on IMPALA-14507:
----------------------------------------------------------
Commit 09bed366fe7e681108f164ee53433b791dada90a in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=09bed366f ]
IMPALA-14507: Register column-level privilege requests for INSERT
This patch registers column-level privilege requests for columns
involved in the INSERT statement so that the requesting user does not
need to be granted the INSERT privilege on the entire table. This would
be helpful in the case when different users are allowed to insert data
into different sets of columns in the same table. Moreover, column-level
Ranger audit events for INSERT requests will be produced after this
patch.
This would also allow an administrator to add deny policies on columns
against a user if we would like to prevent the user from inserting data
into the specified columns.
On the other hand, this patch slightly revises the Preconditions checks
in BaseAuthorizationChecker#authorize() so that it is easier to
understand what those checks verify. The code comment there explicitly
mentions that for a statement that may produce several hierarchical
privilege requests, it should always have a corresponding table-level
privilege request if it has a column-level privilege request. This was
not entirely true and could not be detected by the previous checks.
Specifically, for the CREATE TABLE <db>.<target_tbl> AS SELECT
statement, we would register an ANY privilege request for the column
with wildcard table and column names denoting any column and table in
the database the target table belongs, i.e., '<db>.*.*', whereas there
was no privilege request for the table '<db>.*' registered. This patch
corrects this by registering an ANY privilege request for the database
of the target table instead. Due to this, we also changed the expected
error messages for some Java and end-to-end authorization-related tests.
This should not affect the security in that the resulting
RangerResourceImpl sent to the Ranger plug-in is the same whether the
privilege request is an ANY privilege request for the wildcard column
'<db>.*.*' or an ANY privilege request for the database '<db>'. Refer to
RangerAuthorizationChecker#authorizeResource() for more details.
Testing:
- Added frontend and end-to-end tests to verify that
a) we register column-level privilege requests in the INSERT
statement in addition to the table-level one,
b) a user is not allowed to insert data into a column of a table
if there is a deny policy defined on the column against the user,
even though the user was already granted the INSERT privilege on
the table,
c) a user is not allowed to insert data into a column if there is a
column masking policy defined on any column of the same table,
even though the user was already granted the INSERT privilege on
the table (RANGER-1087 and IMPALA-10554),
d) a user is allowed to insert data into a set of columns of a table
as long as the user was granted the INSERT privileges on those
columns given that there is no deny policy on those columns and
no column masking policy on any column of the same table,
e) column-level Ranger audit events could be produced after the
introduction of column-level INSERT privilege,
f) we are able to grant, revoke column-level INSERT privileges via
the catalog server, and show column-level INSERT privileges via a
coordinator.
Change-Id: I2ef61801d3b394c56702b193c250492a62b111df
Reviewed-on: http://gerrit.cloudera.org:8080/23569
Reviewed-by: Quanlong Huang <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Csaba Ringhofer <[email protected]>
> Consider lowering the privileges required for inserting data into a table
> -------------------------------------------------------------------------
>
> Key: IMPALA-14507
> URL: https://issues.apache.org/jira/browse/IMPALA-14507
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Minor
>
> Currently Impala requires a requesting user to have the INSERT privilege on a
> table, if the requesting user wants to insert a row into the table, even when
> the requesting user only wants to insert values into some but not all columns
> in the target table. For instance, consider the following query. It may be
> less restrictive from a user's perspective, if the requesting user only needs
> the INSERT privileges on the columns 'id', 'month', and 'year', but not other
> columns, e.g., 'bool_col'.
> {code:java}
> insert into functional.alltypestiny(id, month, year) values (123, 1, 2025);
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
