You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/03/19 00:43:00 UTC
[jira] [Commented] (IMPALA-10483) Support
column-masking/row-filtering policy expressions that contain subqueries
[ https://issues.apache.org/jira/browse/IMPALA-10483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304547#comment-17304547 ]
ASF subversion and git services commented on IMPALA-10483:
----------------------------------------------------------
Commit 98de1c5436415c270901e4af76e0ec06deee1f32 in impala's branch refs/heads/master from stiga-huang
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=98de1c5 ]
IMPALA-9234: Support Ranger row filtering policies
Ranger row filtering policies provide customized expressions to filter
out rows for specific users when reading from a table. This patch adds
support for this feature. A new feature flag, enable_row_filtering, is
added to disable this experimental feature. It defaults to be true so
the feature is enabled by default. Enabling row-filtering requires
--enable_column_masking=true since it depends on the column masking
implementation.
Note that row filtering policies take effects prior to any column
masking policies, because column masking policies apply on result data.
Implementation:
The existing table masking view infrastructure can be extended to
support row filtering. Currently when analyzing a table with column
masking policies, we replace the TableRef with an InlineViewRef which
contains a SelectStmt wrapping the columns with masking expressions.
This patch adds the row filtering expressions to the WhereClause of the
SelectStmt.
Limitations:
- Expressions using subqueries are not supported (IMPALA-10483).
- Row filtering policies on nested tables will not be applied when
nested collection columns are used directly in the FROM clause. This
will leak data so we forbid such kinds of queries until IMPALA-10484
is resolved.
Tests:
- Add FE test for error message when disabling row filtering.
- Add e2e test with row filtering policies.
- Add e2e test with column masking and row filtering policies both take
place.
- Verified audits in a CDP cluster with Ranger and Solr set up.
Change-Id: I580517be241225ca15e45686381b78890178d7cc
Reviewed-on: http://gerrit.cloudera.org:8080/16976
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
> Support column-masking/row-filtering policy expressions that contain subqueries
> -------------------------------------------------------------------------------
>
> Key: IMPALA-10483
> URL: https://issues.apache.org/jira/browse/IMPALA-10483
> Project: IMPALA
> Issue Type: New Feature
> Components: Security
> Reporter: Quanlong Huang
> Priority: Critical
>
> Row-filtering policies are applied as the WHERE clause of the table masking view of the base table/view. E.g. if table "tblA" contains a row-filtering policy "id=0", the original query "{{select * from tblA join tblB on (id)}}" will be analyzed as
> {code:sql}
> select * from (
> select col1, col2, ..., colN from tblA where id = 0
> ) v join tblB on (id)
> {code}
> The row-filtering policy expression can also use subqueries, e.g. "{{id = (select min(id) from tblC)}}". However, if the WHERE clause introduces subqueries, it will introduce new tables whose metadata is not loaded in Analyzer's StmtTableCache. So the Analyzer will fail to resolve them and raise AuthorizationExceptions complaining user doesn't have privilege to SELECT those tables.
> One solution is collecting tables introduced by subqueries of Column-masking/Row-filtering expressions and also load them in {{StmtMetadataLoader#loadTables()}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org