Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/17185 )
Change subject: IMPALA-10483: Support subqueries in Ranger masking policies ...................................................................... Patch Set 3: (3 comments) Rebased the patch to base on https://gerrit.cloudera.org/c/17199 http://gerrit.cloudera.org:8080/#/c/17185/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/17185/2//COMMIT_MSG@7 PS2, Line 7: IMPALA-10483: Support subqueries in Ranger masking policies > I think the code changes in the patch are straightforward. Regarding testi I think COMPUTE STATS should be blocked since it required ALTER privilege (same as the issue in IMPALA-10554). The target user can only SELECT the table. Let's deal with such issues in IMPALA-10554 together. http://gerrit.cloudera.org:8080/#/c/17185/2/testdata/workloads/functional-query/queries/QueryTest/ranger_row_filtering.test File testdata/workloads/functional-query/queries/QueryTest/ranger_row_filtering.test: http://gerrit.cloudera.org:8080/#/c/17185/2/testdata/workloads/functional-query/queries/QueryTest/ranger_row_filtering.test@167 PS2, Line 167: INT,BOOLEAN,STRING > A few questions/comments: The row filter can have any expressions as long as they are correct in syntax and semantic. Would you won't more complex row filters in tests? http://gerrit.cloudera.org:8080/#/c/17185/2/tests/authorization/test_ranger.py File tests/authorization/test_ranger.py: http://gerrit.cloudera.org:8080/#/c/17185/2/tests/authorization/test_ranger.py@1232 PS2, Line 1232: admin_client.execute("grant select on database tpch to user %s" % user) > In this row filter would a correlation condition contained entirely within > the row filter be ok ? e.g ..select n_nationkey from nation n1 where n_name in (select n_name from nation n2 where n1.n_regionkey = n2.n_regionkey). Yeah, it should work. But this filter don't contain 'current_user()' so the policy will have the same effects for all users. Let me try to add a similar test. > could we also add a negative test where the correlation is to a table in the > parent query, not in the row filter itself. That one is expected to fail. > (Maybe you already have this test .. if so, feel free to ignore). Yeah, I think the tests in ranger_row_filtering.test about 'test_id' satisfy these. -- To view, visit http://gerrit.cloudera.org:8080/17185 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I254df9f684c95c660f402abd99ca12dded7e764f Gerrit-Change-Number: 17185 Gerrit-PatchSet: 3 Gerrit-Owner: Quanlong Huang <huangquanl...@gmail.com> Gerrit-Reviewer: Aman Sinha <amsi...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Quanlong Huang <huangquanl...@gmail.com> Gerrit-Comment-Date: Thu, 18 Mar 2021 13:50:39 +0000 Gerrit-HasComments: Yes