You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/06/03 11:40:00 UTC

[jira] [Created] (IMPALA-10728) Impala should check access privileges inside masking expressions

Quanlong Huang created IMPALA-10728:
---------------------------------------

             Summary: Impala should check access privileges inside masking expressions
                 Key: IMPALA-10728
                 URL: https://issues.apache.org/jira/browse/IMPALA-10728
             Project: IMPALA
          Issue Type: Bug
          Components: Frontend, Security
    Affects Versions: Impala 4.0
            Reporter: Quanlong Huang
            Assignee: Quanlong Huang


Row-filtering/column-masking policies may have subqueries which involve some other tables. These tables can have associate policies as well. Currently, Impala won't check any policies on these tables, including access policies and masking policies (row-filtering/column-masking). The rational is these expressions are evaluated in admin's point of view. Another reason is to avoid recursive masking, and sometimes infinite recursive masking. E.g. a row-filter subquery can have tables that also have such kind of row-filters.

Although Hive also skipps applying masking policies recursively inside masking/filtering expressions, Hive still check access policies inside them. To avoid breaking users that depend on this, we'd better be compatible with Hive's behavior first.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org