You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "bharath v (Jira)" <ji...@apache.org> on 2019/09/06 04:13:00 UTC

[jira] [Created] (IMPALA-8921) Use kerberos short name for ranger requests.

bharath v created IMPALA-8921:
---------------------------------

             Summary: Use kerberos short name for ranger requests.
                 Key: IMPALA-8921
                 URL: https://issues.apache.org/jira/browse/IMPALA-8921
             Project: IMPALA
          Issue Type: Bug
          Components: Catalog, Frontend
    Affects Versions: Impala 3.2.0, Impala 3.3.0
            Reporter: bharath v
            Assignee: bharath v


For certain grant/revoke requests, we are using the full name, which is a fully qualified user principal.

{noformat}
@Override
  public void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
      TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
    List<GrantRevokeRequest> requests = createGrantRevokeRequests(
====>        header.getRequesting_user(), true, params.getPrincipal_name(),
        Collections.emptyList(), plugin_.get().getClusterName(),
        header.getClient_ip(), params.getPrivileges());


@Override
  public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
      TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
    List<GrantRevokeRequest> requests = createGrantRevokeRequests(
====>        header.getRequesting_user(), false, params.getPrincipal_name(),
        Collections.emptyList(), plugin_.get().getClusterName(),
        header.getClient_ip(), params.getPrivileges());

@Override
  public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
      TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
    List<GrantRevokeRequest> requests = createGrantRevokeRequests(
=>>>        header.getRequesting_user(), true, null,
        Collections.singletonList(params.getPrincipal_name()),
        plugin_.get().getClusterName(), header.getClient_ip(), params.getPrivileges());

  @Override
  public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
      TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
    List<GrantRevokeRequest> requests = createGrantRevokeRequests(
===>        header.getRequesting_user(), false, null,
        Collections.singletonList(params.getPrincipal_name()),
        plugin_.get().getClusterName(), header.getClient_ip(), params.getPrivileges());

{noformat}

Ranger expects a short name instead. The bug existed since the original implementation [1], but the code has been later refactored.

[1] https://gerrit.cloudera.org/#/c/12914/




--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org