You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Michal Dobrzycki (Jira)" <ji...@apache.org> on 2022/07/04 11:27:00 UTC

[jira] [Created] (IMPALA-11413) SHOW GRANT ROLE roleN; shows wrong permissions (or permissions were granted incorrectly)

Michal Dobrzycki created IMPALA-11413:
-----------------------------------------

             Summary: SHOW GRANT ROLE roleN; shows wrong permissions (or permissions were granted incorrectly)
                 Key: IMPALA-11413
                 URL: https://issues.apache.org/jira/browse/IMPALA-11413
             Project: IMPALA
          Issue Type: Bug
          Components: Security
    Affects Versions: Impala 3.3.0
            Reporter: Michal Dobrzycki


Hey guys, we have an impala - hdfs - *sentry* architecture.

We're using scripts to create roles
{code:java}
CREATE ROLE role1 
GRANT ALL ON DATABASE db1 TO ROLE role1
GRANT ALL ON URI hdfs://uri/db1 TO ROLE role1
GRANT ROLE role1 to GROUP role1{code}
Using the same connection, I run:
{code:java}
CREATE ROLE role2 
GRANT ALL ON DATABASE db2 TO ROLE role2
GRANT ALL ON URI hdfs://uri/db2 TO ROLE role2
GRANT ROLE role2 to GROUP role2{code}
And do this for N users.

After executing these operations, the backend sentry policy DB shows that the roleN privileges were actually granted to role(N-1).

Just before this happened we switch impala to local catalog mode (it might or might not be related, but it did occur at the same time). Config change was in impala to:
{code:java}
--catalog_topic_mode=minimal{code}
and
{code:java}
--use_local_catalog=true{code}
Then the impala query showed that roleN has permissions to N-1 database. It only happened for one of ~30 roles:
{code:java}
[dn0.datanode.dp.svc.cluster.local:21000] default> SHOW GRANT ROLE roleN;
Query: SHOW GRANT ROLE roleN
+----------+-----------+-------+--------+-------------------------------+-----------+--------------+-------------------------------+
| scope    | database  | table | column | uri                           | privilege | grant_option | create_time                   |
+----------+-----------+-------+--------+-------------------------------+-----------+--------------+-------------------------------+
| database | N-1       |       |        |                               | all       | false        | -                             |
| uri      |           |       |        | hdfs://uri/(N-1)              | all       | false        | -                             |
+----------+-----------+-------+--------+-------------------------------+-----------+--------------+-------------------------------+{code}
This is not reproducible at this time (after dropping and recreating roles it looks fine now).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)