You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Ben Breakstone (JIRA)" <ji...@apache.org> on 2018/08/22 15:43:00 UTC
[jira] [Commented] (IMPALA-2595) Impala inconsistently checks
authorization on query and explain query
[ https://issues.apache.org/jira/browse/IMPALA-2595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16589036#comment-16589036 ]
Ben Breakstone commented on IMPALA-2595:
----------------------------------------
Related / duplicates?:
IMPALA-7325
IMPALA-5674
> Impala inconsistently checks authorization on query and explain query
> ---------------------------------------------------------------------
>
> Key: IMPALA-2595
> URL: https://issues.apache.org/jira/browse/IMPALA-2595
> Project: IMPALA
> Issue Type: Bug
> Components: Security
> Affects Versions: Impala 2.2
> Reporter: Juan Yu
> Priority: Minor
>
> Impala does different authorization check on select query and explain select query.
> For example:
> create table foo (col int);
> create view foo_vw1 as (select * from foo);
> create view foo_vw as (select *, now() from foo);
> select * from foo_vw;
> Impala only checks if user can access the view
> {code}
> I1022 08:49:02.224016 25705 Frontend.java:775] analyze query select * from foo_vw
> I1022 08:49:02.226773 25705 ResourceAuthorizationProvider.java:82] Authorization Request for Subject [name=user1] [Server [name=server1], Database [name=default], Table [name=foo_vw]] and [SELECT]
> I1022 08:49:02.236524 25705 SimpleDBPolicyEngine.java:76] Getting permissions for [analyst, user1]
> I1022 08:49:02.236763 25705 SimpleDBPolicyEngine.java:80] result = [server=server1->db=iah_crm_analysis, server=server1->db=default, server=server1->db=iah_crm_analysis_views, server=server1->db=iah_crm_analysis_views->table=simple_view->action=select, server=server1->db=_impala_builtins]
> I1022 08:49:02.237030 25705 ResourceAuthorizationProvider.java:113] ProviderPrivilege server=server1->db=iah_crm_analysis, RequestPrivilege Server=server1->Db=default->Table=foo_vw1->action=select, RoleSet, ActiveRoleSet = [ roles = ALL , Result false
> I1022 08:49:02.237216 25705 ResourceAuthorizationProvider.java:113] ProviderPrivilege server=server1->db=default, RequestPrivilege Server=server1->Db=default->Table=foo_vw1->action=select, RoleSet, ActiveRoleSet = [ roles = ALL , Result true
> I1022 08:49:02.237313 25705 Frontend.java:849] create plan
> {code}
> explain select * from foo_vw1;
> Impala checks if user can access both the view and the underlying table
> {code}
> I1022 08:45:15.358471 25705 Frontend.java:775] analyze query explain select * from foo_vw1
> I1022 08:45:15.359199 25705 Frontend.java:724] Requesting prioritized load of table(s): default.foo_vw1
> I1022 08:45:18.388422 25705 ResourceAuthorizationProvider.java:82] Authorization Request for Subject [name=user1] [Server [name=server1], Database [name=default], Table [name=foo_vw1]] and [SELECT]
> I1022 08:45:18.393242 25705 ResourceAuthorizationProvider.java:82] Authorization Request for Subject [name=user1] [Server [name=server1], Database [name=default], Table [name=foo]] and [SELECT]
> {code}
> explain select * from foo_vw;
> if the view contains builtin function, Impala will check if user can access the builtin database "_impala_builtins" as well.
> {code}
> I1022 08:41:35.863819 25705 Frontend.java:775] analyze query explain select * from foo_vw
> I1022 08:41:35.864527 25705 Frontend.java:724] Requesting prioritized load of table(s): default.foo_vw
> I1022 08:41:40.283463 25705 ResourceAuthorizationProvider.java:82] Authorization Request for Subject [name=user1] [Server [name=server1], Database [name=default], Table [name=foo_vw]] and [SELECT]
> I1022 08:41:40.284415 25705 ResourceAuthorizationProvider.java:82] Authorization Request for Subject [name=user1] [Server [name=server1], Database [name=default], Table [name=foo]] and [SELECT]
> I1022 08:41:40.288105 25705 ResourceAuthorizationProvider.java:82] Authorization Request for Subject [name=user1] [Server [name=server1], Database [name=_impala_builtins]] and [INSERT]
> I1022 08:41:40.289621 25705 ResourceAuthorizationProvider.java:82] Authorization Request for Subject [name=user1] [Server [name=server1], Database [name=_impala_builtins]] and [INSERT]
> {code}
> This doesn't seem make sense.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org