You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/02/08 17:45:00 UTC

[jira] [Commented] (IMPALA-8587) Show inherited privileges in show grant w/ Ranger

    [ https://issues.apache.org/jira/browse/IMPALA-8587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17032948#comment-17032948 ] 

ASF subversion and git services commented on IMPALA-8587:
---------------------------------------------------------

Commit c07f54b3c45c0b1ae18c458d744d154db89f5e3c in impala's branch refs/heads/master from Austin Nobis
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=c07f54b ]

IMPALA-8587: Show inherited privileges with Ranger show grant

Previously when executing a SHOW GRANT statement on a resource with
Ranger authorization enabled, Impala would not show inherited
privileges. For example, consider a user 'foo' with database-level
privileges granted by:

GRANT SELECT ON DATABASE db TO USER foo;

If later on we would like to retrieve the table-level privileges
associated with the user 'foo' by:

SHOW GRANT USER foo ON TABLE db.table;

We would not see any result before this change. After this change, the
related privileges including the inherited privileges with regard to the
specified resource will be shown. In our example described above, we
will see the following result and therefore the result returned by SHOW
GRANT statement is more informative than the case in which only the
privileges on 'db'.'table' were shown. Notice that in the following
returned result, we are also able to know the specified user's
privileges on any other table under the database 'db'.

+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf | privilege | grant_option | create_time   |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER           | foo            | db       | *     | *      |     |     | select    | false        | 1580174954746 |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+

Testing
- Ran all FE tests
- Ran all authorization E2E tests
- Added E2E tests in test_ranger verifying functionality

Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Reviewed-on: http://gerrit.cloudera.org:8080/15111
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Show inherited privileges in show grant w/ Ranger
> -------------------------------------------------
>
>                 Key: IMPALA-8587
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8587
>             Project: IMPALA
>          Issue Type: Sub-task
>          Components: Frontend
>            Reporter: Austin Nobis
>            Assignee: Fang-Yu Rao
>            Priority: Critical
>
> If an admin has privileges from:
> *grant all on server to user admin;*
>  
> Currently the command below will show no results:
> *show grant user admin on database functional;*
>  
> After the change, the user should see server level privileges from:
> *show grant user admin on database functional;*
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org