Bharath Vissapragada has posted comments on this change. ( http://gerrit.cloudera.org:8080/14229 )
Change subject: IMPALA-8930: [DOCS] Object ownership support when integrated with Ranger ...................................................................... Patch Set 1: (5 comments) http://gerrit.cloudera.org:8080/#/c/14229/1/docs/shared/impala_common.xml File docs/shared/impala_common.xml: http://gerrit.cloudera.org:8080/#/c/14229/1/docs/shared/impala_common.xml@123 PS1, Line 123: <p id="sentry_privileges_objects"> This should be in Ranger integration section? http://gerrit.cloudera.org:8080/#/c/14229/1/docs/shared/impala_common.xml@128 PS1, Line 128: includes implies? (nit: extra space) http://gerrit.cloudera.org:8080/#/c/14229/1/docs/topics/impala_authorization.xml File docs/topics/impala_authorization.xml: http://gerrit.cloudera.org:8080/#/c/14229/1/docs/topics/impala_authorization.xml@156 PS1, Line 156: ownership is enabled by default in Impala, I think this should be rephrased. Object ownership for tables, views and databases is enabled by default in Impala. To define owner specific privileges, go to ranger UI and define appropriate policies on {OWNER} user.... http://gerrit.cloudera.org:8080/#/c/14229/1/docs/topics/impala_authorization.xml@162 PS1, Line 162: An owner has the <codeph>OWNER</codeph> privilege if enabled in : Sentry. remove. http://gerrit.cloudera.org:8080/#/c/14229/1/docs/topics/impala_authorization.xml@173 PS1, Line 173: </p> We should also mention the caveat with Ranger ownership integration that "SHOW TABLES" may not work as expected. I added it in the commit message [1]. TL;DR "show tables" command cannot infer ownership information because the current design of metadata lacks aggressive caching of ownership information. The user behavior ends up like, show tables does not list the table even though a user owns it unless it is fully loaded in the coordinator catalog cache IMPALA-8937. Users can still do queries on the table (like select * from foo) because these kinds of statements preload the table before performing the authz checks. [1] https://github.com/apache/impala/commit/ced6e98fb4c361efa4bcc7e5441ccdb8debba8e9 -- To view, visit http://gerrit.cloudera.org:8080/14229 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie4fdaf05953373c8d1870b7eface257830c7c6e5 Gerrit-Change-Number: 14229 Gerrit-PatchSet: 1 Gerrit-Owner: Alex Rodoni <arod...@cloudera.com> Gerrit-Reviewer: Bharath Vissapragada <bhara...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Comment-Date: Mon, 16 Sep 2019 17:30:58 +0000 Gerrit-HasComments: Yes
