You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2018/01/18 04:27:42 UTC
[02/12] impala git commit: IMPALA-4315: Allow USE and SHOW TABLES if the user has only column privileges

IMPALA-4315: Allow USE and SHOW TABLES if the user has only column privileges

USE and SHOW TABLES should be allowed if there is at least one
table in a database where the user has table or column
privileges. Impala incorrectly checked only for table privileges.

To test this issue in AuthorizationTest.java, 'functional_avro'
is added as a test database with only column level permissions.

Change-Id: Ia69756a18cb1db304d2bb8c92288612cbd1164d8
Reviewed-on: http://gerrit.cloudera.org:8080/8973
Reviewed-by: Alex Behm <al...@cloudera.com>
Tested-by: Impala Public Jenkins


Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/dcc7be0e
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/dcc7be0e
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/dcc7be0e

Branch: refs/heads/master
Commit: dcc7be0ed483b332dac22d6596f56ff2a6cfdaa3
Parents: b6e4313
Author: Csaba Ringhofer <cs...@cloudera.com>
Authored: Tue Jan 9 16:55:28 2018 +0100
Committer: Impala Public Jenkins <im...@gerrit.cloudera.org>
Committed: Wed Jan 17 22:40:13 2018 +0000

----------------------------------------------------------------------
 .../apache/impala/analysis/AnalysisContext.java |  6 ++++--
 .../org/apache/impala/analysis/Analyzer.java    |  4 +++-
 .../impala/analysis/AuthorizationTest.java      | 21 ++++++++++++++++++--
 fe/src/test/resources/authz-policy.ini.template |  4 +++-
 4 files changed, 29 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/impala/blob/dcc7be0e/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java b/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
index 71a185e..5ad97eb 100644
--- a/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
+++ b/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
@@ -445,7 +445,7 @@ public class AnalysisContext {
     Preconditions.checkNotNull(analysisResult_);
     Analyzer analyzer = getAnalyzer();
     // Process statements for which column-level privilege requests may be registered
-    // except for DESCRIBE TABLE or REFRESH/INVALIDATE statements
+    // except for DESCRIBE TABLE, REFRESH/INVALIDATE, USE or SHOW TABLES statements.
     if (analysisResult_.isQueryStmt() || analysisResult_.isInsertStmt() ||
         analysisResult_.isUpdateStmt() || analysisResult_.isDeleteStmt() ||
         analysisResult_.isCreateTableAsSelectStmt() ||
@@ -493,7 +493,9 @@ public class AnalysisContext {
         Preconditions.checkState(
             !(privReq.getAuthorizeable() instanceof AuthorizeableColumn) ||
             analysisResult_.isDescribeTableStmt() ||
-            analysisResult_.isResetMetadataStmt());
+            analysisResult_.isResetMetadataStmt() ||
+            analysisResult_.isUseStmt() ||
+            analysisResult_.isShowTablesStmt());
         authorizePrivilegeRequest(authzChecker, privReq);
       }
     }

http://git-wip-us.apache.org/repos/asf/impala/blob/dcc7be0e/fe/src/main/java/org/apache/impala/analysis/Analyzer.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/org/apache/impala/analysis/Analyzer.java b/fe/src/main/java/org/apache/impala/analysis/Analyzer.java
index eab33cb..5e9c788 100644
--- a/fe/src/main/java/org/apache/impala/analysis/Analyzer.java
+++ b/fe/src/main/java/org/apache/impala/analysis/Analyzer.java
@@ -31,6 +31,7 @@ import java.util.Set;
 
 import org.apache.impala.analysis.Path.PathType;
 import org.apache.impala.authorization.AuthorizationConfig;
+import org.apache.impala.authorization.AuthorizeableTable;
 import org.apache.impala.authorization.Privilege;
 import org.apache.impala.authorization.PrivilegeRequest;
 import org.apache.impala.authorization.PrivilegeRequestBuilder;
@@ -2473,7 +2474,8 @@ public class Analyzer {
       throws AnalysisException {
     PrivilegeRequestBuilder pb = new PrivilegeRequestBuilder();
     if (privilege == Privilege.ANY) {
-      registerPrivReq(pb.any().onAnyTable(dbName).toRequest());
+      registerPrivReq(
+          pb.any().onAnyColumn(dbName, AuthorizeableTable.ANY_TABLE_NAME).toRequest());
     } else {
       registerPrivReq(pb.allOf(privilege).onDb(dbName).toRequest());
     }

http://git-wip-us.apache.org/repos/asf/impala/blob/dcc7be0e/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
----------------------------------------------------------------------
diff --git a/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java b/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
index 30a0238..9140e52 100644
--- a/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
+++ b/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
@@ -98,6 +98,8 @@ public class AuthorizationTest {
   //   INSERT permissions on 'functional.alltypes' (no SELECT permissions)
   //   INSERT permissions on all tables in 'functional_parquet' database
   //   No permissions on database 'functional_rc'
+  //   Only column level permissions in 'functional_avro':
+  //     SELECT permissions on columns ('id') on 'functional_avro.alltypessmall'
   public final static String AUTHZ_POLICY_FILE = "/test-warehouse/authz-policy.ini";
   public final static User USER = new User(System.getProperty("user.name"));
 
@@ -388,6 +390,19 @@ public class AuthorizationTest {
       privileges.add(priv);
     }
     sentryService.grantRolePrivileges(USER, roleName, privileges);
+
+    // select_column_level_functional_avro
+    roleName = "select_column_level_functional_avro";
+    sentryService.createRole(USER, roleName, true);
+    sentryService.grantRoleToGroup(USER, roleName, USER.getName());
+
+    privilege = new TPrivilege("", TPrivilegeLevel.SELECT,
+        TPrivilegeScope.COLUMN, false);
+    privilege.setServer_name("server1");
+    privilege.setDb_name("functional_avro");
+    privilege.setTable_name("alltypessmall");
+    privilege.setColumn_name("id");
+    sentryService.grantRolePrivilege(USER, roleName, privilege);
   }
 
   @Test
@@ -757,6 +772,7 @@ public class AuthorizationTest {
   public void TestUseDb() throws ImpalaException {
     // Positive cases (user has privileges on these tables).
     AuthzOk("use functional");
+    AuthzOk("use functional_avro"); // Database with only column privileges.
     AuthzOk("use tpcds");
     AuthzOk("use tpch");
 
@@ -1517,6 +1533,7 @@ public class AuthorizationTest {
   @Test
   public void TestShowPermissions() throws ImpalaException {
     AuthzOk("show tables in functional");
+    AuthzOk("show tables in functional_avro"); // Database with only column privileges.
     AuthzOk("show databases");
     AuthzOk("show tables in _impala_builtins");
     AuthzOk("show functions in _impala_builtins");
@@ -1579,7 +1596,7 @@ public class AuthorizationTest {
     // These are the only dbs that should show up because they are the only
     // dbs the user has any permissions on.
     List<String> expectedDbs = Lists.newArrayList("default", "functional",
-        "functional_parquet", "functional_seq_snap", "tpcds", "tpch");
+        "functional_avro", "functional_parquet", "functional_seq_snap", "tpcds", "tpch");
 
     List<Db> dbs = fe_.getDbs(PatternMatcher.createHivePatternMatcher("*"), USER);
     assertEquals(expectedDbs, extractDbNames(dbs));
@@ -1742,7 +1759,7 @@ public class AuthorizationTest {
     req.get_schemas_req.setSchemaName("%");
     TResultSet resp = fe_.execHiveServer2MetadataOp(req);
     List<String> expectedDbs = Lists.newArrayList("default", "functional",
-        "functional_parquet", "functional_seq_snap", "tpcds", "tpch");
+        "functional_avro", "functional_parquet", "functional_seq_snap", "tpcds", "tpch");
     assertEquals(expectedDbs.size(), resp.rows.size());
     for (int i = 0; i < resp.rows.size(); ++i) {
       assertEquals(expectedDbs.get(i),

http://git-wip-us.apache.org/repos/asf/impala/blob/dcc7be0e/fe/src/test/resources/authz-policy.ini.template
----------------------------------------------------------------------
diff --git a/fe/src/test/resources/authz-policy.ini.template b/fe/src/test/resources/authz-policy.ini.template
index 57db74c..18abdb6 100644
--- a/fe/src/test/resources/authz-policy.ini.template
+++ b/fe/src/test/resources/authz-policy.ini.template
@@ -24,7 +24,7 @@ ${USER} = all_tpch, all_newdb, all_functional_seq_snap, select_tpcds,\
           select_functional_alltypesagg, insert_functional_alltypes,\
           select_functional_complex_view, select_functional_view_view,\
           insert_parquet, new_table_uri, tpch_data_uri, select_column_level_functional,\
-          upper_case_uri
+          select_column_level_functional_avro, upper_case_uri
 auth_to_local_group = test_role
 server_admin = all_server
 
@@ -68,6 +68,8 @@ select_column_level_functional =\
     server=server1->db=functional->table=allcomplextypes->column=id->action=select,\
     server=server1->db=functional->table=allcomplextypes->column=struct_array_col->action=select,\
     server=server1->db=functional->table=allcomplextypes->column=int_map_col->action=select
+select_column_level_functional_avro =\
+    server=server1->db=functional_avro->table=alltypessmall->column=id->action=select
 new_table_uri = server=server1->uri=hdfs://localhost:20500/test-warehouse/new_table
 tpch_data_uri = server=server1->uri=hdfs://localhost:20500/test-warehouse/tpch.lineitem
 upper_case_uri = server=server1->uri=hdfs://localhost:20500/test-warehouse/UPPER_CASE