You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/02/27 09:19:00 UTC
[jira] [Updated] (IMPALA-10554) Block modifications when
row-filter/column-mask is enabled for the user
[ https://issues.apache.org/jira/browse/IMPALA-10554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Quanlong Huang updated IMPALA-10554:
------------------------------------
Description:
Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user.
Currently, Impala doesn't block them, which is a bug considering to Hive's behavior.
*Reproducing the issue*
Create a table and a column masking policy on it:
{code:sql}
hive> create table hql_tbl (id int, name string) stored as textfile;
hive> insert into table hql_tbl values (0, 'aaa'), (1, 'bbb'), (2, 'ccc');
{code}
Column masking policy:
!column_masking_policy.png|width=534,height=572!
In Hive, the INSERT will be denied:
{code:sql}
hive> insert into table hql_tbl values (3, 'ddd');
Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [admin] does not have [UPDATE] privilege on [default/hql_tbl]
{code}
However, the user is able to insert values using Impala.
The related Ranger config is xasecure.hive.block.update.if.rowfilter.columnmask.specified.
was:
Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user.
Currently, Impala doesn't block them, which is a bug considering to Hive's behavior.
*Reproducing the issue*
Create a table and a column masking policy on it:
{code:sql}
hive> create table hql_tbl (id int, name string) stored as textfile;
hive> insert into table hql_tbl values (0, 'aaa'), (1, 'bbb'), (2, 'ccc');
{code}
Column masking policy:
!column_masking_policy.png|width=534,height=572!
In Hive, the INSERT will be denied:
{code:sql}
hive> insert into table hql_tbl values (3, 'ddd');
Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [admin] does not have [UPDATE] privilege on [default/hql_tbl]
{code}
However, the user is able to insert values using Impala.
The related Ranger config is xasecure.hive.block.update.if.rowfilter.columnmask.specified.
> Block modifications when row-filter/column-mask is enabled for the user
> -----------------------------------------------------------------------
>
> Key: IMPALA-10554
> URL: https://issues.apache.org/jira/browse/IMPALA-10554
> Project: IMPALA
> Issue Type: Bug
> Components: Security
> Affects Versions: Impala 3.4.0
> Reporter: Quanlong Huang
> Priority: Critical
> Attachments: column_masking_policy.png
>
>
> Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user.
> Currently, Impala doesn't block them, which is a bug considering to Hive's behavior.
> *Reproducing the issue*
> Create a table and a column masking policy on it:
> {code:sql}
> hive> create table hql_tbl (id int, name string) stored as textfile;
> hive> insert into table hql_tbl values (0, 'aaa'), (1, 'bbb'), (2, 'ccc');
> {code}
> Column masking policy:
> !column_masking_policy.png|width=534,height=572!
> In Hive, the INSERT will be denied:
> {code:sql}
> hive> insert into table hql_tbl values (3, 'ddd');
> Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [admin] does not have [UPDATE] privilege on [default/hql_tbl]
> {code}
> However, the user is able to insert values using Impala.
> The related Ranger config is xasecure.hive.block.update.if.rowfilter.columnmask.specified.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org