You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2018/01/18 04:27:42 UTC
[02/12] impala git commit: IMPALA-4315: Allow USE and SHOW TABLES if
the user has only column privileges
IMPALA-4315: Allow USE and SHOW TABLES if the user has only column privileges
USE and SHOW TABLES should be allowed if there is at least one
table in a database where the user has table or column
privileges. Impala incorrectly checked only for table privileges.
To test this issue in AuthorizationTest.java, 'functional_avro'
is added as a test database with only column level permissions.
Change-Id: Ia69756a18cb1db304d2bb8c92288612cbd1164d8
Reviewed-on: http://gerrit.cloudera.org:8080/8973
Reviewed-by: Alex Behm <al...@cloudera.com>
Tested-by: Impala Public Jenkins
Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/dcc7be0e
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/dcc7be0e
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/dcc7be0e
Branch: refs/heads/master
Commit: dcc7be0ed483b332dac22d6596f56ff2a6cfdaa3
Parents: b6e4313
Author: Csaba Ringhofer <cs...@cloudera.com>
Authored: Tue Jan 9 16:55:28 2018 +0100
Committer: Impala Public Jenkins <im...@gerrit.cloudera.org>
Committed: Wed Jan 17 22:40:13 2018 +0000
----------------------------------------------------------------------
.../apache/impala/analysis/AnalysisContext.java | 6 ++++--
.../org/apache/impala/analysis/Analyzer.java | 4 +++-
.../impala/analysis/AuthorizationTest.java | 21 ++++++++++++++++++--
fe/src/test/resources/authz-policy.ini.template | 4 +++-
4 files changed, 29 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/impala/blob/dcc7be0e/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java b/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
index 71a185e..5ad97eb 100644
--- a/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
+++ b/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
@@ -445,7 +445,7 @@ public class AnalysisContext {
Preconditions.checkNotNull(analysisResult_);
Analyzer analyzer = getAnalyzer();
// Process statements for which column-level privilege requests may be registered
- // except for DESCRIBE TABLE or REFRESH/INVALIDATE statements
+ // except for DESCRIBE TABLE, REFRESH/INVALIDATE, USE or SHOW TABLES statements.
if (analysisResult_.isQueryStmt() || analysisResult_.isInsertStmt() ||
analysisResult_.isUpdateStmt() || analysisResult_.isDeleteStmt() ||
analysisResult_.isCreateTableAsSelectStmt() ||
@@ -493,7 +493,9 @@ public class AnalysisContext {
Preconditions.checkState(
!(privReq.getAuthorizeable() instanceof AuthorizeableColumn) ||
analysisResult_.isDescribeTableStmt() ||
- analysisResult_.isResetMetadataStmt());
+ analysisResult_.isResetMetadataStmt() ||
+ analysisResult_.isUseStmt() ||
+ analysisResult_.isShowTablesStmt());
authorizePrivilegeRequest(authzChecker, privReq);
}
}
http://git-wip-us.apache.org/repos/asf/impala/blob/dcc7be0e/fe/src/main/java/org/apache/impala/analysis/Analyzer.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/org/apache/impala/analysis/Analyzer.java b/fe/src/main/java/org/apache/impala/analysis/Analyzer.java
index eab33cb..5e9c788 100644
--- a/fe/src/main/java/org/apache/impala/analysis/Analyzer.java
+++ b/fe/src/main/java/org/apache/impala/analysis/Analyzer.java
@@ -31,6 +31,7 @@ import java.util.Set;
import org.apache.impala.analysis.Path.PathType;
import org.apache.impala.authorization.AuthorizationConfig;
+import org.apache.impala.authorization.AuthorizeableTable;
import org.apache.impala.authorization.Privilege;
import org.apache.impala.authorization.PrivilegeRequest;
import org.apache.impala.authorization.PrivilegeRequestBuilder;
@@ -2473,7 +2474,8 @@ public class Analyzer {
throws AnalysisException {
PrivilegeRequestBuilder pb = new PrivilegeRequestBuilder();
if (privilege == Privilege.ANY) {
- registerPrivReq(pb.any().onAnyTable(dbName).toRequest());
+ registerPrivReq(
+ pb.any().onAnyColumn(dbName, AuthorizeableTable.ANY_TABLE_NAME).toRequest());
} else {
registerPrivReq(pb.allOf(privilege).onDb(dbName).toRequest());
}
http://git-wip-us.apache.org/repos/asf/impala/blob/dcc7be0e/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
----------------------------------------------------------------------
diff --git a/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java b/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
index 30a0238..9140e52 100644
--- a/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
+++ b/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
@@ -98,6 +98,8 @@ public class AuthorizationTest {
// INSERT permissions on 'functional.alltypes' (no SELECT permissions)
// INSERT permissions on all tables in 'functional_parquet' database
// No permissions on database 'functional_rc'
+ // Only column level permissions in 'functional_avro':
+ // SELECT permissions on columns ('id') on 'functional_avro.alltypessmall'
public final static String AUTHZ_POLICY_FILE = "/test-warehouse/authz-policy.ini";
public final static User USER = new User(System.getProperty("user.name"));
@@ -388,6 +390,19 @@ public class AuthorizationTest {
privileges.add(priv);
}
sentryService.grantRolePrivileges(USER, roleName, privileges);
+
+ // select_column_level_functional_avro
+ roleName = "select_column_level_functional_avro";
+ sentryService.createRole(USER, roleName, true);
+ sentryService.grantRoleToGroup(USER, roleName, USER.getName());
+
+ privilege = new TPrivilege("", TPrivilegeLevel.SELECT,
+ TPrivilegeScope.COLUMN, false);
+ privilege.setServer_name("server1");
+ privilege.setDb_name("functional_avro");
+ privilege.setTable_name("alltypessmall");
+ privilege.setColumn_name("id");
+ sentryService.grantRolePrivilege(USER, roleName, privilege);
}
@Test
@@ -757,6 +772,7 @@ public class AuthorizationTest {
public void TestUseDb() throws ImpalaException {
// Positive cases (user has privileges on these tables).
AuthzOk("use functional");
+ AuthzOk("use functional_avro"); // Database with only column privileges.
AuthzOk("use tpcds");
AuthzOk("use tpch");
@@ -1517,6 +1533,7 @@ public class AuthorizationTest {
@Test
public void TestShowPermissions() throws ImpalaException {
AuthzOk("show tables in functional");
+ AuthzOk("show tables in functional_avro"); // Database with only column privileges.
AuthzOk("show databases");
AuthzOk("show tables in _impala_builtins");
AuthzOk("show functions in _impala_builtins");
@@ -1579,7 +1596,7 @@ public class AuthorizationTest {
// These are the only dbs that should show up because they are the only
// dbs the user has any permissions on.
List<String> expectedDbs = Lists.newArrayList("default", "functional",
- "functional_parquet", "functional_seq_snap", "tpcds", "tpch");
+ "functional_avro", "functional_parquet", "functional_seq_snap", "tpcds", "tpch");
List<Db> dbs = fe_.getDbs(PatternMatcher.createHivePatternMatcher("*"), USER);
assertEquals(expectedDbs, extractDbNames(dbs));
@@ -1742,7 +1759,7 @@ public class AuthorizationTest {
req.get_schemas_req.setSchemaName("%");
TResultSet resp = fe_.execHiveServer2MetadataOp(req);
List<String> expectedDbs = Lists.newArrayList("default", "functional",
- "functional_parquet", "functional_seq_snap", "tpcds", "tpch");
+ "functional_avro", "functional_parquet", "functional_seq_snap", "tpcds", "tpch");
assertEquals(expectedDbs.size(), resp.rows.size());
for (int i = 0; i < resp.rows.size(); ++i) {
assertEquals(expectedDbs.get(i),
http://git-wip-us.apache.org/repos/asf/impala/blob/dcc7be0e/fe/src/test/resources/authz-policy.ini.template
----------------------------------------------------------------------
diff --git a/fe/src/test/resources/authz-policy.ini.template b/fe/src/test/resources/authz-policy.ini.template
index 57db74c..18abdb6 100644
--- a/fe/src/test/resources/authz-policy.ini.template
+++ b/fe/src/test/resources/authz-policy.ini.template
@@ -24,7 +24,7 @@ ${USER} = all_tpch, all_newdb, all_functional_seq_snap, select_tpcds,\
select_functional_alltypesagg, insert_functional_alltypes,\
select_functional_complex_view, select_functional_view_view,\
insert_parquet, new_table_uri, tpch_data_uri, select_column_level_functional,\
- upper_case_uri
+ select_column_level_functional_avro, upper_case_uri
auth_to_local_group = test_role
server_admin = all_server
@@ -68,6 +68,8 @@ select_column_level_functional =\
server=server1->db=functional->table=allcomplextypes->column=id->action=select,\
server=server1->db=functional->table=allcomplextypes->column=struct_array_col->action=select,\
server=server1->db=functional->table=allcomplextypes->column=int_map_col->action=select
+select_column_level_functional_avro =\
+ server=server1->db=functional_avro->table=alltypessmall->column=id->action=select
new_table_uri = server=server1->uri=hdfs://localhost:20500/test-warehouse/new_table
tpch_data_uri = server=server1->uri=hdfs://localhost:20500/test-warehouse/tpch.lineitem
upper_case_uri = server=server1->uri=hdfs://localhost:20500/test-warehouse/UPPER_CASE