You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/03/30 23:58:00 UTC

[jira] [Updated] (IMPALA-10484) Support using non-relative collection columns of a table containing row-filtering policies

     [ https://issues.apache.org/jira/browse/IMPALA-10484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Quanlong Huang updated IMPALA-10484:
------------------------------------
    Summary: Support using non-relative collection columns of a table containing row-filtering policies  (was: Support using unrelated collection columns of a table containing row-filtering policies)

> Support using non-relative collection columns of a table containing row-filtering policies
> ------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-10484
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10484
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Security
>    Affects Versions: Impala 4.0
>            Reporter: Quanlong Huang
>            Priority: Major
>
> This is a follow-up for IMPALA-9234. Row-filtering policies are applied as the WHERE clause of the table masking view of the base table/view. E.g. if table "tblA" contains a row-filtering policy "id=0", the original query "{{select * from tblA join tblB on (id)}}" will be analyzed as
> {code:sql}
> select * from (
>   select col1, col2, ..., colN from tblA where id = 0
> ) v join tblB on (id)
> {code}
> Tables containing complex types are more complex in analyzing. Let's say "tblA" contains two columns:
> ||id int||int_array array<int>||
> |0|[1,2,3]|
> |1|[4,5]|
> The following queries gets all items of the array column:
> {code:sql}
> -- Good for applying table masking view on tblA
> select a.item from tblA t, t.int_array a;
> -- Hard to apply table masking view on tblA
> select item from tblA.int_array;
> {code}
> The second query uses unrelated collection column directly. So we can't apply the row-filtering policies on the base table. This will leak data, so IMPALA-9234 forbids them.
> We can support this by rewritting the second query to the first one. Luckily, we already have a rewritter containing this ability: {{AcidRewriter}} in {{StmtRewriter}}. With some refactor it can be reused. However, there is a bug (IMPALA-10482) needs to be fixed first.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org