You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2021/10/25 20:28:00 UTC

[jira] [Updated] (IMPALA-10986) Specific privilege should be required to execute a UDF in Impala

     [ https://issues.apache.org/jira/browse/IMPALA-10986?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Fang-Yu Rao updated IMPALA-10986:
---------------------------------
    Attachment: ranger_policy_for_udfs_impala.png

> Specific privilege should be required to execute a UDF in Impala
> ----------------------------------------------------------------
>
>                 Key: IMPALA-10986
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10986
>             Project: IMPALA
>          Issue Type: Bug
>    Affects Versions: Impala 4.0.0
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>         Attachments: ranger_policy_for_udfs_impala.png
>
>
> We found that currently in Impala, to execute a UDF, a user only has to be granted one of the 3 privileges in {{INSERT}}, {{SELECT}}, {{REFRESH}} on the database (i.e., the {{VIEW_METADATA}} privilege on the database) where the UDF was created. No additional privilege on the UDF is required. An example of the policy added via Ranger's web UI is also provided here.
> The privilege request of {{VIEW_METADATA}} on the database is registered within [analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA, true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557]. This is the reason why the user has to be granted the VIEW_METADATA privilege on the database to be able to execute the UDF.
> Recall that the registration of the privilege mentioned above occurs in [FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531] where Impala's frontend analyzes the given function in a query.
> I noticed in the same method above at https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535, Impala is able to determine whether the current function is a UDF or not. Thus it seems that to fix the problem, we need to additionally register the corresponding privilege request for a UDF (v.s. a built-in function) other than the {{VIEW_METADATA}} privilege on the database.
> We should thus provide a fix for the issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org