[Impala-ASF-CR] IMPALA-8100: Add initial support for Ranger

Fredy Wijaya (Code Review) Tue, 05 Mar 2019 18:28:06 -0800

Fredy Wijaya has uploaded a new patch set (#8). ( 
http://gerrit.cloudera.org:8080/12632 )


Change subject: IMPALA-8100: Add initial support for Ranger
......................................................................

IMPALA-8100: Add initial support for Ranger

This patch adds an initial support for Ranger that can be enabled via
the following flags in both impalad and catalogd to do enforcement.
- ranger_service_type=impala
- ranger_app_id=some_app_id
- authorization_factory_class=\
    org.apache.impala.authorization.ranger.RangerAuthorizationFactory

There's a change in DESCRIBE <table> privilege requirement to use ANY
privilege instead of VIEW_METADATA privilege as the first-level check
to play nicely with Ranger. This is not a security risk since the
column-level filtering logic after the first-level check will use
VIEW_METADATA privilege to filter out unauthorized column access. In
other words, DESCRIBE <table> may return an empty result instead of
an authorization error as long as there exists any privilege in the
given table.

This patch updates AuthorizationStmtTest with a parameterized test that
runs the tests against Sentry and Ranger.

Testing:
- Updated AuthorizationStmtTest with Ranger
- Ran all FE tests
- Ran all E2E authorization tests

Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276
---
M be/src/service/frontend.cc
M be/src/util/backend-gflag-util.cc
M bin/rat_exclude_files.txt
M common/thrift/BackendGflags.thrift
M fe/pom.xml
M fe/src/main/java/org/apache/impala/analysis/DescribeTableStmt.java
M fe/src/main/java/org/apache/impala/authorization/AuthorizationProvider.java
M 
fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationConfig.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationFactory.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaResourceBuilder.java
M 
fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java
M 
fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationFactory.java
M fe/src/main/java/org/apache/impala/service/BackendConfig.java
M fe/src/test/java/org/apache/impala/analysis/AnalyzerTest.java
M fe/src/test/java/org/apache/impala/analysis/AuditingTest.java
M fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java
M fe/src/test/java/org/apache/impala/authorization/sentry/SentryProxyTest.java
M fe/src/test/java/org/apache/impala/common/FrontendFixture.java
M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java
M fe/src/test/java/org/apache/impala/testutil/CatalogServiceTestCatalog.java
M fe/src/test/java/org/apache/impala/testutil/ImpaladTestCatalog.java
A fe/src/test/resources/ranger-impala-audit.xml
A fe/src/test/resources/ranger-impala-security.xml
M impala-parent/pom.xml
M testdata/bin/create-load-data.sh
M testdata/cluster/.gitignore
A testdata/cluster/ranger/setup/impala_policy1.json
A testdata/cluster/ranger/setup/impala_policy2.json
A testdata/cluster/ranger/setup/impala_policy3.json
A testdata/cluster/ranger/setup/impala_service.json
A testdata/cluster/ranger/setup/impala_servicedef.json
A testdata/cluster/ranger/setup/impala_user.json.template
38 files changed, 1,378 insertions(+), 223 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/32/12632/8
--
To view, visit http://gerrit.cloudera.org:8080/12632
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276
Gerrit-Change-Number: 12632
Gerrit-PatchSet: 8
Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Bharath Vissapragada <bhara...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Paul Rogers <prog...@cloudera.com>
Gerrit-Reviewer: Philip Zeyliger <phi...@cloudera.com>

[Impala-ASF-CR] IMPALA-8100: Add initial support for Ranger

Reply via email to