Hello Quanlong Huang, Aman Sinha, Csaba Ringhofer, Impala Public Jenkins, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/17640 to look at the new patch set (#9). Change subject: IMPALA-10436: Support storage handler privileges for external Kudu table creation ...................................................................... IMPALA-10436: Support storage handler privileges for external Kudu table creation This patch lowers the privilege requirement for external Kudu table creation. Before this patch, a user was required to have the ALL privilege on SERVER if the user wanted to create an external Kudu table. In this patch we introduce a new type of resources called storage handler URI and a new access type called RWSTORAGE that will be supported by Apache Ranger once RANGER-3281 is resolved, which in turn depends on the release of Apache Hive 4.0 that consists of HIVE-24705. Specifically, after this patch, a user will be allowed to create an external Kudu table as long as the user is granted the RWSTORAGE privilege on the resource specified by a storage handler URI that points to an existing Kudu table. For instance, in order for a user 'non_owner' to create an external Kudu table based on an existing Kudu table 'impala::tpch_kudu.nation', it suffices to execute the following command as an administrator to grant the necessary privilege to the requesting user, where "localhost" is the default address of Kudu master host assuming there is only one single master host in this example. GRANT RWSTORAGE ON STORAGEHANDLER_URI 'kudu://localhost/impala::tpch_kudu.nation' TO USER non_owner One may be wondering why we do not simply cancel the privilege check that required the ALL privilege on SERVER for external Kudu table creation. One scenario in which such relaxation is not secure is when the owner or the creator of the existing Kudu table is different from the requesting user who wants to create an external Kudu table in Impala. Not requiring any additional privilege check would allow a user without any privilege to retrieve the contents of the existing Kudu table. On the other hand, after this patch we still require a user to have the ALL privilege on SERVER when the table property of 'kudu.master_addresses' is specified in a query that tries to create a Kudu table whether or not the table is external. To be more specific, the user 'non_owner' would be able to create an external Kudu table using the following statement once being granted the RWSTORAGE privilege on the specified storage handler URI above. CREATE EXTERNAL TABLE default.kudu_tbl STORED AS KUDU TBLPROPERTIES ('kudu.table_name'='impala::tpch_kudu.nation') However, the following query submitted by the same user would be rejected due to the user 'non_owner' not being granted the ALL privilege on SERVER. CREATE EXTERNAL TABLE default.kudu_tbl STORED AS KUDU TBLPROPERTIES ('kudu.table_name'='impala::tpch_kudu.nation', 'kudu.master_addresses'='localhost') We do not relax such a requirement in that specifying the addresses of Kudu master hosts to connect should still be considered as an administrative operation. Testing: - Added various FE and E2E tests to verify Impala's behavior after this patch with respect to external Kudu table creation. - Verified that this patch passes the core tests in the DEBUG build. Change-Id: I7936e1d8c48696169f7ad7ad92abe44a26eea3c4 --- M common/thrift/CatalogObjects.thrift M fe/src/main/cup/sql-parser.cup M fe/src/main/java/org/apache/impala/analysis/CreateTableStmt.java M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java M fe/src/main/java/org/apache/impala/analysis/ShowGrantPrincipalStmt.java A fe/src/main/java/org/apache/impala/analysis/StorageHandlerUri.java M fe/src/main/java/org/apache/impala/authorization/Authorizable.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java A fe/src/main/java/org/apache/impala/authorization/AuthorizableStorageHandlerUri.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/Privilege.java M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaResourceBuilder.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java M fe/src/main/jflex/sql-scanner.flex M fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java M testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test M tests/authorization/test_ranger.py 24 files changed, 774 insertions(+), 231 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/40/17640/9 -- To view, visit http://gerrit.cloudera.org:8080/17640 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I7936e1d8c48696169f7ad7ad92abe44a26eea3c4 Gerrit-Change-Number: 17640 Gerrit-PatchSet: 9 Gerrit-Owner: Fang-Yu Rao <fangyu....@cloudera.com> Gerrit-Reviewer: Aman Sinha <amsi...@cloudera.com> Gerrit-Reviewer: Csaba Ringhofer <csringho...@cloudera.com> Gerrit-Reviewer: Fang-Yu Rao <fangyu....@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Quanlong Huang <huangquanl...@gmail.com>