[Impala-ASF-CR] IMPALA-8363: Deny access when column masking or row filtering is enabled in Ranger

Fri, 05 Apr 2019 13:40:04 -0700 

Bharath Vissapragada has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/12927 )

Change subject: IMPALA-8363: Deny access when column masking or row filtering 
is enabled in Ranger
......................................................................


Patch Set 4:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/12927/4/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
File 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java:

http://gerrit.cloudera.org:8080/#/c/12927/4/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@160
PS4, Line 160:       case COLUMN:
> I'm a bit confused by the implementation here...
I had somewhat similar concerns and I was chatting with Fredy offline on how we 
could reuse the privilege reqs populated in the original Analyzer pass. It 
looks like there are a couple of issues based on our discussion:

- We use "SELECT" privilege pretty loosely. For example, something like 
describe table foo requires a "SELECT" privilege on column foo.a. In such a 
case if there is masking on foo.a, should describe fail (too restrictive) or 
should we intelligently catch and ignore it, since masking shouldn't affect a 
describe output.

- There are some subtleties around how we populate column privilege requests 
for base table columns in views (the whole logic around maskedPrivilegeReqs). 
We should probably consider those too.

Overall, I prefer if we could avoid duplicating the traversal path again here.



--
To view, visit http://gerrit.cloudera.org:8080/12927
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: If46b4bf24d916e4a4ea8a36ff4acfd95d5f45c8e
Gerrit-Change-Number: 12927
Gerrit-PatchSet: 4
Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <ano...@cloudera.com>
Gerrit-Reviewer: Bharath Vissapragada <bhara...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <t...@apache.org>
Gerrit-Comment-Date: Fri, 05 Apr 2019 20:39:43 +0000
Gerrit-HasComments: Yes

Reply via email to