You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2020/01/24 01:47:00 UTC
[jira] [Comment Edited] (IMPALA-8587) Show inherited privileges in
show grant w/ Ranger
[ https://issues.apache.org/jira/browse/IMPALA-8587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17022635#comment-17022635 ]
Fang-Yu Rao edited comment on IMPALA-8587 at 1/24/20 1:46 AM:
--------------------------------------------------------------
Two proposed patches are available. One is the patch authored by [~anobis] at [https://gerrit.cloudera.org/c/13673/] and the other by [~fangyurao] at [https://gerrit.cloudera.org/c/14356/4].
The main difference between these 2 patches is that the former provides more information in the result when a user issues a query looking for the privileges granted to a specified user. For example, suppose that a user has issued the SQL statement {{grant all on server to user fangyurao}}. If this user then issues {{show grant user fangyurao on database functional}}, the former approach would produce the following.
{code:java}
Query: show grant user fangyurao on database functional
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf | privilege | grant_option | create_time |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | * | | | | * | all | false | 1579808605799 |
| USER | fangyurao | * | * | * | | | all | false | 1579808605466 |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
{code}
It can be seen that the result also indicates that the specified user, i.e., {{fangyurao}} in this case is also granted all the privileges of ALL the databases.
On the other hand, the latter approach would output the following, which indicates that the specified user is granted privileges of all the tables and columns of the database {{functional}}.
{code:java}
Query: show grant user fangyurao on database functional
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf | privilege | grant_option | create_time |
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | functional | | | | * | all | false | 1579808246841 |
| USER | fangyurao | functional | * | * | | | all | false | 1579808246554 |
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
{code}
Both approaches are correct in my view since both fix the issue of not displaying the granted privileges correctly. But in terms of bug fixing, I think the patch of the latter approach is easier to understand (which can be seen from [https://gerrit.cloudera.org/c/13673/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#339] that [~fredyw] cannot understand the logic in the former approach at first glance).
In case we decide to adopt the latter approach, I could also create a JIRA that adopts the former approach that provides a user more information.
was (Author: fangyurao):
Two proposed patches are available. One is the patch authored by [~anobis] at [https://gerrit.cloudera.org/c/13673/] and the other by [~fangyurao] at [https://gerrit.cloudera.org/c/14356/4].
The main difference between these 2 patches is that the former provides more information in the result when a user issues a query looking for the privileges granted to a specified user. For example, suppose that a user has issued the SQL statement {{grant all on server to user fangyurao}}. If this user then issues {{show grant user fangyurao on database functional}}, the former approach would produce the following.
{code:java}
Query: show grant user fangyurao on database functional
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf | privilege | grant_option | create_time |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | * | | | | * | all | false | 1579808605799 |
| USER | fangyurao | * | * | * | | | all | false | 1579808605466 |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
{code}
It can be seen that the result also indicates that the specified user, i.e., {{fangyurao}} in this case is also granted all the privileges of all the databases.
On the other hand, the latter approach would output the following, which indicates that the specified user is granted privileges of all the tables and columns of the database {{functional}}.
{code:java}
Query: show grant user fangyurao on database functional
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf | privilege | grant_option | create_time |
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | functional | | | | * | all | false | 1579808246841 |
| USER | fangyurao | functional | * | * | | | all | false | 1579808246554 |
+----------------+----------------+------------+-------+--------+-----+-----+-----------+--------------+---------------+
{code}
Both approaches are correct in my view since both fix the issue of not displaying the granted privileges correctly. But in terms of bug fixing, I think the patch of the latter approach is easier to understand (which can be seen from [https://gerrit.cloudera.org/c/13673/3/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#339] that [~fredyw] cannot understand the logic in the former approach at first glance).
In case we decide to adopt the latter approach, I could also create a JIRA that adopts the former approach that provides a user more information.
> Show inherited privileges in show grant w/ Ranger
> -------------------------------------------------
>
> Key: IMPALA-8587
> URL: https://issues.apache.org/jira/browse/IMPALA-8587
> Project: IMPALA
> Issue Type: Sub-task
> Components: Frontend
> Reporter: Austin Nobis
> Assignee: Fang-Yu Rao
> Priority: Critical
>
> If an admin has privileges from:
> *grant all on server to user admin;*
>
> Currently the command below will show no results:
> *show grant user admin on database functional;*
>
> After the change, the user should see server level privileges from:
> *show grant user admin on database functional;*
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org