Hello Quanlong Huang, Aman Sinha, Csaba Ringhofer, Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/20916
to look at the new patch set (#3).
Change subject: IMPALA-12578: Pass owner user of database and table to Ranger
in GRANT/REVOKE
......................................................................
IMPALA-12578: Pass owner user of database and table to Ranger in GRANT/REVOKE
After RANGER-1200, Ranger allows the owner user of a resource to
grant/revoke a privilege to/from a grantee/revokee, which requires the
client of the Ranger server to provide the ownership information in the
requests for granting and revoking accesses.
Before this patch, Impala did not provide its Ranger plug-in with the
owner user of resource in the GRANT and REVOKE statements and thus the
owner user of a resource was not able to grant/revoke a privilege
to/from other principals. This patch passes to the Ranger server the
owner user of resource in the GRANT and REVOKE statements when the
resource is a database, a table, or a column. This way the owner user
does not have to be explicitly granted additional privileges on the
resource to execute the GRANT and REVOKE statements for the
aforementioned resource types.
For user-defined functions, we will deal with this resource type in
IMPALA-12685 in that it depends on IMPALA-11743 where we will have to
make Impala load from Hive MetaStore the owner user of a user-defined
function.
The patch also fixes a potential bug in getOwnerUser() of Db, LocalDb,
Table, and LocalTable. Specifically, before this patch, when
determining the owner user of a database or a table, Impala returned
the owner name without verifying the corresponding principal type is
indeed a user. This was problematic because the principal type could be
a group or a role. In addition, we note that Ranger assumes implicitly
that the provided owner is a user. This could be seen from the
definition of GrantRevokeRequest. Before Ranger adds an additional
field in GrantRevokeRequest to distinguish an owner user from an owner
group, Impala will not be able to support allowing a user in an owner
group to grant or revoke privileges on the resources owned by the owner
group.
Testing:
- Added an end-to-end test to verify that the owner user of a resource
is able to execute the GRANT/REVOKE statements without being granted
additional privileges if the resource is a database, a table, or a
column.
Change-Id: Ibac5335c65a860963ef0ccd890a926af80585ef3
---
M common/thrift/JniCatalog.thrift
M fe/src/main/java/org/apache/impala/analysis/GrantRevokePrivStmt.java
M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java
M
fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
M fe/src/main/java/org/apache/impala/catalog/Db.java
M fe/src/main/java/org/apache/impala/catalog/Table.java
M fe/src/main/java/org/apache/impala/catalog/local/LocalDb.java
M fe/src/main/java/org/apache/impala/catalog/local/LocalTable.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M tests/authorization/test_ranger.py
10 files changed, 377 insertions(+), 23 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/16/20916/3
--
To view, visit http://gerrit.cloudera.org:8080/20916
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ibac5335c65a860963ef0ccd890a926af80585ef3
Gerrit-Change-Number: 20916
Gerrit-PatchSet: 3
Gerrit-Owner: Fang-Yu Rao <fangyu....@cloudera.com>
Gerrit-Reviewer: Aman Sinha <amsi...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <csringho...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fangyu....@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <huangquanl...@gmail.com>
