You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2021/05/21 00:20:00 UTC
[jira] [Created] (IMPALA-10712) ALTER DATABASE SET
OWNER ROLE is not supported when Ranger is the authorization
provider
Fang-Yu Rao created IMPALA-10712:
------------------------------------
Summary: ALTER DATABASE <database_name> SET OWNER ROLE <role_name> is not supported when Ranger is the authorization provider
Key: IMPALA-10712
URL: https://issues.apache.org/jira/browse/IMPALA-10712
Project: IMPALA
Issue Type: Improvement
Affects Versions: Impala 4.0
Reporter: Fang-Yu Rao
Assignee: Fang-Yu Rao
We found that {{ALTER DATABASE <database_name> SET OWNER ROLE <role_name>}} is not supported when Ranger is the authorization provider. Specifically, we will hit the non-null check for the given role at [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59] due to the fact that the {{AuthorizationPolicy}} returned from {{getAuthPolicy()}} does not cache any policy-related information if the authorization provider is Ranger, which is different than the case when Sentry was the authorization provider.
When Ranger is the authorization provider, the currently existing roles are cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we could probably invoke {{getRoles().getRangerRoles()}} provided by the {{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what is done at [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135].
Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing Joe's comment at [https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68].
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org