You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Abhishek (Jira)" <ji...@apache.org> on 2022/09/28 20:20:00 UTC

[jira] [Created] (IMPALA-11622) Impala load data command fails when the impala user has access on source file through Ranger policy

Abhishek created IMPALA-11622:
---------------------------------

             Summary: Impala load data command fails when the impala user has access on source file through Ranger policy
                 Key: IMPALA-11622
                 URL: https://issues.apache.org/jira/browse/IMPALA-11622
             Project: IMPALA
          Issue Type: Bug
            Reporter: Abhishek


When trying to run the load data command in Impala, 
if the Impala user has access on the source file through a Ranger HDFS policy,
then the load data command fails.
If the impala user has access on the source file through HDFS ACLs,
then the load data command executes successfully.

Steps to reproduce :-
Ranger policy setup
HDFS policies
Policy 1 :-
All access policy for HDFS user
user - hdfs
resources - * , recursive=true
access - all access allowed

Policy 2 :-
Access for impala user on /root_test_dir/test_dir_2
user - impala 
resources - /root_test_dir/test_dir_2 , recursive = true
access - all access allowed

Hadoop SQL policies
Policy 1 : All access policy for hrt_qa, hive and impala user
users - hrt_qa, impala, hive
resources - db - *, table - *, column - *
access - all access allowed

Policy 2 : Url policy for hrt_qa user
users - hrt_qa
resources :- url - *
access - all access allowed

Data setup :-
In HDFS,
create the following directories as the hdfs user
{code:java|bgColor=#f4f5f7}
/root_test_dir
/root_test_dir/test_dir_1
/root_test_dir/test_dir_2{code}
Create a text file in local machine temp.txt with the any content ( for ex :- Hello World)
Then copy the temp.txt file to the HDFS dirs /root_test_dir/test_dir_1 and /root_test_dir/test_dir_2 

Set the ACLs for /root_test_dir/test_dir_1 to 777 recursively
{code:java|bgColor=#f4f5f7}
hdfs dfs -chmod -R 777 /root_test_dir/test_dir_1 {code}
 
Set the ACLs for /root_test_dir/test_dir_2 to 000 recursively
{code:java|bgColor=#f4f5f7}
hdfs dfs -chmod -R 000 /root_test_dir/test_dir_2{code}
(Run all the hdfs commands as the hdfs user)

In Impala-shell, as hrt_qa user
create a test_db and create a test_table under test_db.
{code:java|bgColor=#f4f5f7}
CREATE TABLE test_db.test_table(c0 string) STORED AS TEXTFILE TBLPROPERTIES('transactional'='false'){code}
 

Run the LOAD DATA command as hrt_qa user :-
{code:java|bgColor=#f4f5f7}
test_db> LOAD DATA INPATH '/root_test_dir/test_dir_1/temp.txt' INTO TABLE test_db.test_table
                                                           > ;
Query: LOAD DATA INPATH '/root_test_dir/test_dir_1/temp.txt' INTO TABLE test_db.test_table
+----------------------------------------------------------+
| summary                                                  |
+----------------------------------------------------------+
| Loaded 1 file(s). Total files in destination location: 1 |
+----------------------------------------------------------+
Fetched 1 row(s) in 6.56s {code}
Failing case :-
{code:java}
test_db> LOAD DATA INPATH '/root_test_dir/test_dir_2/temp.txt' INTO TABLE test_db.test_table; Query: LOAD DATA INPATH '/root_test_dir/test_dir_2/temp.txt' INTO TABLE test_db.test_table ERROR: AccessControlException: Permission denied: user=impala, access=READ, inode="/warehouse/tablespace/external/hive/test_db.db/test_table/.tmp_4b9b3a83-f4f9-4363-81ae-21f5c170c1bd/temp.txt":hdfs:supergroup:---------- {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)