You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2021/05/21 00:25:00 UTC

[jira] [Updated] (IMPALA-10712) SET OWNER ROLE of a database/table/view is not supported when Ranger is the authorization provider

     [ https://issues.apache.org/jira/browse/IMPALA-10712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Fang-Yu Rao updated IMPALA-10712:
---------------------------------
    Summary: SET OWNER ROLE <role_name> of a database/table/view is not supported when Ranger is the authorization provider  (was: ALTER DATABASE <database_name> SET OWNER ROLE <role_name> is not supported when Ranger is the authorization provider)

> SET OWNER ROLE <role_name> of a database/table/view is not supported when Ranger is the authorization provider
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-10712
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10712
>             Project: IMPALA
>          Issue Type: Improvement
>    Affects Versions: Impala 4.0
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> We found that {{ALTER DATABASE <database_name> SET OWNER ROLE <role_name>}} is not supported when Ranger is the authorization provider. Specifically, we will hit the non-null check for the given role at [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AlterDbSetOwnerStmt.java#L59] due to the fact that the {{AuthorizationPolicy}} returned from {{getAuthPolicy()}} does not cache any policy-related information if the authorization provider is Ranger, which is different than the case when Sentry was the authorization provider.
> When Ranger is the authorization provider, the currently existing roles are cached by {{RangerImpalaPlugin}}. Therefore to address the issue above, we could probably invoke {{getRoles().getRangerRoles()}} provided by the {{RangerImpalaPlugin}} to retrieve the set of existing roles, similar to what is done at [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L135].
> Tagged [~joemcdonnell] and [~shajini] since I realized this when reviewing Joe's comment at [https://gerrit.cloudera.org/c/17469/1/docs/topics/impala_alter_database.xml#b68].



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org