You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Abhishek (Jira)" <ji...@apache.org> on 2022/09/28 20:20:00 UTC
[jira] [Created] (IMPALA-11622) Impala load data command fails when the impala user has access on source file through Ranger policy
Abhishek created IMPALA-11622:
---------------------------------
Summary: Impala load data command fails when the impala user has access on source file through Ranger policy
Key: IMPALA-11622
URL: https://issues.apache.org/jira/browse/IMPALA-11622
Project: IMPALA
Issue Type: Bug
Reporter: Abhishek
When trying to run the load data command in Impala,
if the Impala user has access on the source file through a Ranger HDFS policy,
then the load data command fails.
If the impala user has access on the source file through HDFS ACLs,
then the load data command executes successfully.
Steps to reproduce :-
Ranger policy setup
HDFS policies
Policy 1 :-
All access policy for HDFS user
user - hdfs
resources - * , recursive=true
access - all access allowed
Policy 2 :-
Access for impala user on /root_test_dir/test_dir_2
user - impala
resources - /root_test_dir/test_dir_2 , recursive = true
access - all access allowed
Hadoop SQL policies
Policy 1 : All access policy for hrt_qa, hive and impala user
users - hrt_qa, impala, hive
resources - db - *, table - *, column - *
access - all access allowed
Policy 2 : Url policy for hrt_qa user
users - hrt_qa
resources :- url - *
access - all access allowed
Data setup :-
In HDFS,
create the following directories as the hdfs user
{code:java|bgColor=#f4f5f7}
/root_test_dir
/root_test_dir/test_dir_1
/root_test_dir/test_dir_2{code}
Create a text file in local machine temp.txt with the any content ( for ex :- Hello World)
Then copy the temp.txt file to the HDFS dirs /root_test_dir/test_dir_1 and /root_test_dir/test_dir_2
Set the ACLs for /root_test_dir/test_dir_1 to 777 recursively
{code:java|bgColor=#f4f5f7}
hdfs dfs -chmod -R 777 /root_test_dir/test_dir_1 {code}
Set the ACLs for /root_test_dir/test_dir_2 to 000 recursively
{code:java|bgColor=#f4f5f7}
hdfs dfs -chmod -R 000 /root_test_dir/test_dir_2{code}
(Run all the hdfs commands as the hdfs user)
In Impala-shell, as hrt_qa user
create a test_db and create a test_table under test_db.
{code:java|bgColor=#f4f5f7}
CREATE TABLE test_db.test_table(c0 string) STORED AS TEXTFILE TBLPROPERTIES('transactional'='false'){code}
Run the LOAD DATA command as hrt_qa user :-
{code:java|bgColor=#f4f5f7}
test_db> LOAD DATA INPATH '/root_test_dir/test_dir_1/temp.txt' INTO TABLE test_db.test_table
> ;
Query: LOAD DATA INPATH '/root_test_dir/test_dir_1/temp.txt' INTO TABLE test_db.test_table
+----------------------------------------------------------+
| summary |
+----------------------------------------------------------+
| Loaded 1 file(s). Total files in destination location: 1 |
+----------------------------------------------------------+
Fetched 1 row(s) in 6.56s {code}
Failing case :-
{code:java}
test_db> LOAD DATA INPATH '/root_test_dir/test_dir_2/temp.txt' INTO TABLE test_db.test_table; Query: LOAD DATA INPATH '/root_test_dir/test_dir_2/temp.txt' INTO TABLE test_db.test_table ERROR: AccessControlException: Permission denied: user=impala, access=READ, inode="/warehouse/tablespace/external/hive/test_db.db/test_table/.tmp_4b9b3a83-f4f9-4363-81ae-21f5c170c1bd/temp.txt":hdfs:supergroup:---------- {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)