Fredy Wijaya has uploaded a new patch set (#8). ( http://gerrit.cloudera.org:8080/12632 )
Change subject: IMPALA-8100: Add initial support for Ranger ...................................................................... IMPALA-8100: Add initial support for Ranger This patch adds an initial support for Ranger that can be enabled via the following flags in both impalad and catalogd to do enforcement. - ranger_service_type=impala - ranger_app_id=some_app_id - authorization_factory_class=\ org.apache.impala.authorization.ranger.RangerAuthorizationFactory There's a change in DESCRIBE <table> privilege requirement to use ANY privilege instead of VIEW_METADATA privilege as the first-level check to play nicely with Ranger. This is not a security risk since the column-level filtering logic after the first-level check will use VIEW_METADATA privilege to filter out unauthorized column access. In other words, DESCRIBE <table> may return an empty result instead of an authorization error as long as there exists any privilege in the given table. This patch updates AuthorizationStmtTest with a parameterized test that runs the tests against Sentry and Ranger. Testing: - Updated AuthorizationStmtTest with Ranger - Ran all FE tests - Ran all E2E authorization tests Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276 --- M be/src/service/frontend.cc M be/src/util/backend-gflag-util.cc M bin/rat_exclude_files.txt M common/thrift/BackendGflags.thrift M fe/pom.xml M fe/src/main/java/org/apache/impala/analysis/DescribeTableStmt.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationProvider.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/Privilege.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationConfig.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationFactory.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java A fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaResourceBuilder.java M fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationFactory.java M fe/src/main/java/org/apache/impala/service/BackendConfig.java M fe/src/test/java/org/apache/impala/analysis/AnalyzerTest.java M fe/src/test/java/org/apache/impala/analysis/AuditingTest.java M fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java M fe/src/test/java/org/apache/impala/authorization/sentry/SentryProxyTest.java M fe/src/test/java/org/apache/impala/common/FrontendFixture.java M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java M fe/src/test/java/org/apache/impala/testutil/CatalogServiceTestCatalog.java M fe/src/test/java/org/apache/impala/testutil/ImpaladTestCatalog.java A fe/src/test/resources/ranger-impala-audit.xml A fe/src/test/resources/ranger-impala-security.xml M impala-parent/pom.xml M testdata/bin/create-load-data.sh M testdata/cluster/.gitignore A testdata/cluster/ranger/setup/impala_policy1.json A testdata/cluster/ranger/setup/impala_policy2.json A testdata/cluster/ranger/setup/impala_policy3.json A testdata/cluster/ranger/setup/impala_service.json A testdata/cluster/ranger/setup/impala_servicedef.json A testdata/cluster/ranger/setup/impala_user.json.template 38 files changed, 1,378 insertions(+), 223 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/32/12632/8 -- To view, visit http://gerrit.cloudera.org:8080/12632 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276 Gerrit-Change-Number: 12632 Gerrit-PatchSet: 8 Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com> Gerrit-Reviewer: Bharath Vissapragada <bhara...@cloudera.com> Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Paul Rogers <prog...@cloudera.com> Gerrit-Reviewer: Philip Zeyliger <phi...@cloudera.com>