You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2021/05/21 00:20:00 UTC

[jira] [Created] (IMPALA-10712) ALTER DATABASE SET OWNER ROLE is not supported when Ranger is the authorization provider

Fang-Yu Rao created IMPALA-10712:
------------------------------------

             Summary: ALTER DATABASE <database_name> SET OWNER ROLE <role_name> is not supported when Ranger is the authorization provider
                 Key: IMPALA-10712
                 URL: https://issues.apache.org/jira/browse/IMPALA-10712
             Project: IMPALA
          Issue Type: Improvement
    Affects Versions: Impala 4.0
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


We found that {{ALTER DATABASE <database_name> SET OWNER ROLE <role_name>}} is not supported when Ranger is the authorization provider. Specifically, we will hit the non-null check for the given role at [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59] due to the fact that the {{AuthorizationPolicy}} returned from {{getAuthPolicy()}} does not cache any policy-related information if the authorization provider is Ranger, which is different than the case when Sentry was the authorization provider.

When Ranger is the authorization provider, the currently existing roles are cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we could probably invoke {{getRoles().getRangerRoles()}} provided by the {{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what is done at [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135].

Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing Joe's comment at [https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68].



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org