You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@impala.apache.org by "Quanlong Huang (Code Review)" <ge...@cloudera.org> on 2021/03/25 01:04:56 UTC

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Quanlong Huang has uploaded this change for review. ( http://gerrit.cloudera.org:8080/17230


Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................

IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Per RANGER-1087 and RANGER-1100, table updates(e.g. insert, delete,
truncate, upsert, alter, etc.) should be blocked when row-filtering or
column-masking policy is enabled for the user.

This patch adds the check for any row-filtering or column-masking policy
on the table and rejects the update operation if any of them exisits.

Tests:
 - Add FE unit tests

Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
---
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
5 files changed, 273 insertions(+), 81 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/17230/1
-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 1
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Hello Aman Sinha, Fang-Yu Rao, Csaba Ringhofer, Impala Public Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17230

to look at the new patch set (#4).

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................

IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Per RANGER-1087 and RANGER-1100, table updates(e.g. insert, delete,
truncate, upsert, alter, etc.) should be blocked when row-filtering or
column-masking policy is enabled for the user.

This patch adds the check for any row-filtering or column-masking policy
on the table and rejects the update operation if any of them exisits.

Tests:
 - Add FE unit tests
 - Add audit tests

Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
---
M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
8 files changed, 545 insertions(+), 116 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/17230/4
-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 4
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 7: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 7
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 30 Mar 2021 23:48:02 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 1:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/8440/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 1
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Thu, 25 Mar 2021 01:25:50 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 1:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
File fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java:

http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@178
PS1, Line 178:         || (authorizable.getType() != Type.TABLE && authorizable.getType() != Type.COLUMN)) {
line too long (93 > 90)



-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 1
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Thu, 25 Mar 2021 01:06:01 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 1:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
File fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java:

http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@178
PS1, Line 178:         || (authorizable.getType() != Type.TABLE && authorizable.getType() != Type.COLUMN)) {
> line too long (93 > 90)
Done


http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java:

http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@3104
PS1, Line 3104:       authorize("insert into functional.alltypes partition(year, month) " +
> For an INSERT-SELECT, which error message would take precedence .. suppose 
Good point! Yes, the 'block' on insertion happens when checking INSERT request on the table, which is later than checking the SELECT request. Note that requests are checked in the order as they are registered. In InsertStmt.analyze(), the query stmt is analyzed earlier than the target table, so the SELECT request is registered earlier than the INSERT request.

Copied some test codes in testInsert() at line 832 here.



-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 1
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Thu, 25 Mar 2021 08:57:16 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 6:

Fix the test failure caused by no columns in FailedLoadLocalTable. Add a check to skip FeIncompleteTable.


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 6
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 30 Mar 2021 04:24:59 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 4: Verified-1

Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/7016/


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 4
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Mon, 29 Mar 2021 15:00:48 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 5:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/8457/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 5
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Mon, 29 Mar 2021 14:07:50 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 2:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/8443/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 2
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Thu, 25 Mar 2021 09:17:21 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 7:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7025/ DRY_RUN=false


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 7
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 30 Mar 2021 23:48:03 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Hello Aman Sinha, Fang-Yu Rao, Csaba Ringhofer, Impala Public Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17230

to look at the new patch set (#3).

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................

IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Per RANGER-1087 and RANGER-1100, table updates(e.g. insert, delete,
truncate, upsert, alter, etc.) should be blocked when row-filtering or
column-masking policy is enabled for the user.

This patch adds the check for any row-filtering or column-masking policy
on the table and rejects the update operation if any of them exisits.

Tests:
 - Add FE unit tests
 - Add audit tests

Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
---
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
7 files changed, 508 insertions(+), 116 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/17230/3
-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 3
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 6:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/8463/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 6
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 30 Mar 2021 04:43:55 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Hello Aman Sinha, Fang-Yu Rao, Csaba Ringhofer, Impala Public Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17230

to look at the new patch set (#5).

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................

IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Per RANGER-1087 and RANGER-1100, table updates(e.g. insert, delete,
truncate, upsert, alter, etc.) should be blocked when row-filtering or
column-masking policy is enabled for the user.

This patch adds the check for any row-filtering or column-masking policy
on the table and rejects the update operation if any of them exisits.

Tests:
 - Add FE unit tests
 - Add audit tests
 - Add e2e tests

Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
---
M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
M testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking.test
M testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking_and_row_filtering.test
M testdata/workloads/functional-query/queries/QueryTest/ranger_row_filtering.test
11 files changed, 599 insertions(+), 116 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/17230/5
-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 5
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 3:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/17230/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
File fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java:

http://gerrit.cloudera.org:8080/#/c/17230/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@169
PS3, Line 169:             authorizeAny(rangerAuthzCtx, resource, resourceType, resourceName, user, privilege) :
line too long (97 > 90)


http://gerrit.cloudera.org:8080/#/c/17230/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@170
PS3, Line 170:             authorizeAll(rangerAuthzCtx, resource, resourceType, resourceName, user, privilege);
line too long (96 > 90)



-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 3
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Fri, 26 Mar 2021 03:18:12 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Aman Sinha (Code Review)" <ge...@cloudera.org>.

Aman Sinha has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 1:

(1 comment)

This generally lgtm.  One question below.

http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java:

http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@3104
PS1, Line 3104:       authorize("insert into functional.alltypes partition(year, month) " +
For an INSERT-SELECT, which error message would take precedence .. suppose the SELECT side has some authorization issue due to table masking, I assume that will error first before the 'block' on insertion is checked.



-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 1
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Thu, 25 Mar 2021 06:53:31 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 3:

(1 comment)

I realized that audits are not handled correctly. It should be marked as denied by the masking policy.

Refactor the change to check masking policies in a deeper place so we can modify the deny audit. Also added some audit unit tests.

However, RangerAuditLogTest.testAuditsForColumnMasking seems flaky. Still debugging on it.

http://gerrit.cloudera.org:8080/#/c/17230/2/fe/src/main/java/org/apache/impala/authorization/Privilege.java
File fe/src/main/java/org/apache/impala/authorization/Privilege.java:

http://gerrit.cloudera.org:8080/#/c/17230/2/fe/src/main/java/org/apache/impala/authorization/Privilege.java@93
PS2, Line 93:     return this == ALTER || this == DROP || this == CREATE || this == INSERT
> Curious if INVALIDATE METADATA <table> command will/should be blocked with 
Yes, it requires REFRESH privilege: https://github.com/apache/impala/blob/311938b4f500aeb26f5a42cd955231588821e18b/fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java#L192

Added test cases for this.



-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 3
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Fri, 26 Mar 2021 03:19:40 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Aman Sinha (Code Review)" <ge...@cloudera.org>.

Aman Sinha has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 2: Code-Review+1

(2 comments)

http://gerrit.cloudera.org:8080/#/c/17230/2/fe/src/main/java/org/apache/impala/authorization/Privilege.java
File fe/src/main/java/org/apache/impala/authorization/Privilege.java:

http://gerrit.cloudera.org:8080/#/c/17230/2/fe/src/main/java/org/apache/impala/authorization/Privilege.java@93
PS2, Line 93:     return this == ALTER || this == DROP || this == CREATE || this == INSERT
Curious if INVALIDATE METADATA <table> command will/should be blocked with one of these. It's not listed in the Privilege enum but it is a more extreme version of the REFRESH command. That said, it seems unrelated to this patch since it was never being checked.


http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java:

http://gerrit.cloudera.org:8080/#/c/17230/1/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@3104
PS1, Line 3104:       authorize("insert into functional.alltypes partition(year, month) " +
> Good point! Yes, the 'block' on insertion happens when checking INSERT requ
Thanks for adding the additional checks for the SELECT part.



-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 2
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Thu, 25 Mar 2021 15:54:40 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Aman Sinha (Code Review)" <ge...@cloudera.org>.

Aman Sinha has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 5: Code-Review+2

> Patch Set 4:
> 
> (1 comment)
> 
> Changes for the last PS: populate the column names to AuthorizableTable so we can check all column masking policies of the table until we match a real mask policy(i.e. not an unmask policy).

I would have thought that an unmask policy by definition would be skipped since it is not masking. Interesting find. Changes LGTM.


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 5
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 30 Mar 2021 03:06:29 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Aman Sinha (Code Review)" <ge...@cloudera.org>.

Aman Sinha has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 6: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 6
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 30 Mar 2021 23:34:02 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 4:

(1 comment)

Changes for the last PS: populate the column names to AuthorizableTable so we can check all column masking policies of the table until we match a real mask policy(i.e. not an unmask policy).

http://gerrit.cloudera.org:8080/#/c/17230/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
File fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java:

http://gerrit.cloudera.org:8080/#/c/17230/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@658
PS3, Line 658:     // Check if masking is enabled for any column in the table/view.
             :     if (accessResult.getIsAllowed()) {
             :       List<String> columns;
             :       if (authorizable.getType() == Type.TABLE) {
             :         // Check all columns.
             :         columns = ((AuthorizableTable) authorizable).getColumns();
             :         LOG.trace("Checking mask policies on {} columns of table {}", columns.size(),
             :             authorizable.getFullTableName())
This is the cause of the flakiness. When multiple column masking policies exists, we only pick one and check one. However, the policy can be in "unmask" type which returns false in isMaskEnabled(). Then the table is considered no masking at all, regardless other unpicked policies. Codes here are similar to Hive's. So Hive also has this problem. Filed RANGER-3225 for Hive ranger plugin.

We fix this in the next patch set by checking masking policies on all columns until we meet one that is actual enabled.



-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 4
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Mon, 29 Mar 2021 09:18:51 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................

IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Per RANGER-1087 and RANGER-1100, table updates(e.g. insert, delete,
truncate, upsert, alter, etc.) should be blocked when row-filtering or
column-masking policy is enabled for the user.

This patch adds the check for any row-filtering or column-masking policy
on the table and rejects the update operation if any of them exisits.

Tests:
 - Add FE unit tests
 - Add audit tests
 - Add e2e tests

Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Reviewed-on: http://gerrit.cloudera.org:8080/17230
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
M testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking.test
M testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking_and_row_filtering.test
M testdata/workloads/functional-query/queries/QueryTest/ranger_row_filtering.test
11 files changed, 602 insertions(+), 116 deletions(-)

Approvals:
  Impala Public Jenkins: Looks good to me, approved; Verified

-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 8
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Hello Aman Sinha, Fang-Yu Rao, Csaba Ringhofer, Impala Public Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17230

to look at the new patch set (#6).

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................

IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Per RANGER-1087 and RANGER-1100, table updates(e.g. insert, delete,
truncate, upsert, alter, etc.) should be blocked when row-filtering or
column-masking policy is enabled for the user.

This patch adds the check for any row-filtering or column-masking policy
on the table and rejects the update operation if any of them exisits.

Tests:
 - Add FE unit tests
 - Add audit tests
 - Add e2e tests

Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
---
M fe/src/main/java/org/apache/impala/authorization/AuthorizableTable.java
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
M testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking.test
M testdata/workloads/functional-query/queries/QueryTest/ranger_column_masking_and_row_filtering.test
M testdata/workloads/functional-query/queries/QueryTest/ranger_row_filtering.test
11 files changed, 602 insertions(+), 116 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/17230/6
-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 6
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 6:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7020/ DRY_RUN=true


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 6
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 30 Mar 2021 04:25:23 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 5:

Added some e2e tests


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 5
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Mon, 29 Mar 2021 13:47:18 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 7: Verified+1


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 7
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Wed, 31 Mar 2021 05:38:49 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 3:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/8449/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 3
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Fri, 26 Mar 2021 03:37:43 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 4:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/7016/ DRY_RUN=true


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 4
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Mon, 29 Mar 2021 09:19:16 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 4:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/8455/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 4
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Mon, 29 Mar 2021 09:38:27 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Quanlong Huang (Code Review)" <ge...@cloudera.org>.

Hello Aman Sinha, Fang-Yu Rao, Csaba Ringhofer, Impala Public Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17230

to look at the new patch set (#2).

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................

IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Per RANGER-1087 and RANGER-1100, table updates(e.g. insert, delete,
truncate, upsert, alter, etc.) should be blocked when row-filtering or
column-masking policy is enabled for the user.

This patch adds the check for any row-filtering or column-masking policy
on the table and rejects the update operation if any of them exisits.

Tests:
 - Add FE unit tests

Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
---
M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
5 files changed, 291 insertions(+), 81 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/17230/2
-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 2
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/17230 )

Change subject: IMPALA-10554: Block updates when row-filter/column-mask is enabled for the user
......................................................................


Patch Set 6: Verified+1


-- 
To view, visit http://gerrit.cloudera.org:8080/17230
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I1c899f2ec24b895867cbf2cf9ed23bc7b5a77326
Gerrit-Change-Number: 17230
Gerrit-PatchSet: 6
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 30 Mar 2021 10:11:46 +0000
Gerrit-HasComments: No