You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2023/01/19 01:33:00 UTC

[jira] [Created] (IMPALA-11851) Relative paths on nested columns of a Ranger masked view can't be resolved

Quanlong Huang created IMPALA-11851:
---------------------------------------

             Summary: Relative paths on nested columns of a Ranger masked view can't be resolved
                 Key: IMPALA-11851
                 URL: https://issues.apache.org/jira/browse/IMPALA-11851
             Project: IMPALA
          Issue Type: Bug
          Components: Security
            Reporter: Quanlong Huang
            Assignee: Quanlong Huang


Since IMPALA-9498, we support returning ARRAYs from catalog views. If the array column is used relatively outside and the view is masked by Ranger column-masking/row-filtering policies, the query will failed.

For instance, functional_parquet.complextypestbl is a test table with the following schema:
{code:sql}
  id BIGINT,
  int_array ARRAY<INT>,
  int_array_array ARRAY<ARRAY<INT>>,
  int_map MAP<STRING,INT>,
  int_map_array ARRAY<MAP<STRING,INT>>,
  nested_struct STRUCT<a:INT,b:ARRAY<INT>,c:STRUCT<d:ARRAY<ARRAY<STRUCT<e:INT,f:STRING>>>>,g:MAP<STRING,STRUCT<h:STRUCT<i:ARRAY<DOUBLE>>>>> {code}
functional_parquet.complextypes_arrays_only_view is a view on this table exposing the int arrays:
{code:sql}
CREATE VIEW functional_parquet.complextypes_arrays_only_view AS
SELECT id, int_array, int_array_array FROM functional_parquet.complextypestbl
{code}
Create a Ranger column-masking policy on the view that mask column "id" to "id * 100". The following query will fail:
{code:sql}
select * from functional_parquet.complextypes_arrays_only_view t, t.int_array a;

ERROR: AuthorizationException: User 'quanlong' does not have privileges to execute 'SELECT' on: t.int_array
{code}
Looking into the logs, it's due to the relative TableRef "t.int_array" can't be resolved:
{noformat}
E0119 09:22:52.945945  6748 AnalysisContext.java:625] 464a3aef49695517:b2c7d02900000000] Error analyzing the rewritten query.
Original SQL: SELECT * FROM functional_parquet.complextypes_arrays_only_view t, t.int_array a
Rewritten SQL: SELECT * FROM (SELECT CAST(id * 100 AS BIGINT) id FROM functional_parquet.complextypes_arrays_only_view t)t.int_array a
Java exception follows:
org.apache.impala.common.AnalysisException: Could not resolve table reference: 't.int_array'
        at org.apache.impala.analysis.Analyzer.resolvePath(Analyzer.java:1334)
        at org.apache.impala.analysis.Analyzer.resolvePath(Analyzer.java:1265)
        at org.apache.impala.analysis.Analyzer.resolvePathWithMasking(Analyzer.java:1182)
        at org.apache.impala.analysis.Analyzer.resolveTableRef(Analyzer.java:857)
        at org.apache.impala.analysis.FromClause.analyze(FromClause.java:86)
        at org.apache.impala.analysis.SelectStmt$SelectAnalyzer.analyze(SelectStmt.java:328)
        at org.apache.impala.analysis.SelectStmt$SelectAnalyzer.access$100(SelectStmt.java:280)
        at org.apache.impala.analysis.SelectStmt.analyze(SelectStmt.java:272)
        at org.apache.impala.analysis.AnalysisContext.reAnalyze(AnalysisContext.java:622)
        at org.apache.impala.analysis.AnalysisContext.analyze(AnalysisContext.java:553)
        at org.apache.impala.analysis.AnalysisContext.analyzeAndAuthorize(AnalysisContext.java:468)
        at org.apache.impala.service.Frontend.doCreateExecRequest(Frontend.java:2059)
        at org.apache.impala.service.Frontend.getTExecRequest(Frontend.java:1967)
        at org.apache.impala.service.Frontend.createExecRequest(Frontend.java:1789)
        at org.apache.impala.service.JniFrontend.createExecRequest(JniFrontend.java:164)
I0119 09:22:52.946061  6748 AnalysisContext.java:484] 464a3aef49695517:b2c7d02900000000] Analysis took 132 ms
I0119 09:22:52.949038  6748 BaseAuthorizationChecker.java:113] 464a3aef49695517:b2c7d02900000000] Authorization check took 2 ms 
I0119 09:22:52.949220  6748 jni-util.cc:288] 464a3aef49695517:b2c7d02900000000] org.apache.impala.authorization.AuthorizationException: User 'quanlong' does not have privileges to execute 'SELECT' on: t.int_array
        at org.apache.impala.authorization.BaseAuthorizationChecker.authorizeTableAccess(BaseAuthorizationChecker.java:288)
        at org.apache.impala.authorization.ranger.RangerAuthorizationChecker.authorizeTableAccess(RangerAuthorizationChecker.java:297)
        at org.apache.impala.authorization.BaseAuthorizationChecker.authorize(BaseAuthorizationChecker.java:167)
        at org.apache.impala.analysis.AnalysisContext.analyzeAndAuthorize(AnalysisContext.java:495)
        at org.apache.impala.service.Frontend.doCreateExecRequest(Frontend.java:2059)
        at org.apache.impala.service.Frontend.getTExecRequest(Frontend.java:1967)
        at org.apache.impala.service.Frontend.createExecRequest(Frontend.java:1789)
        at org.apache.impala.service.JniFrontend.createExecRequest(JniFrontend.java:164)
{noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org