You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/02/08 03:29:00 UTC
[jira] [Created] (IMPALA-10484) Support using unrelated collection
columns of a table containing row-filtering policies
Quanlong Huang created IMPALA-10484:
---------------------------------------
Summary: Support using unrelated collection columns of a table containing row-filtering policies
Key: IMPALA-10484
URL: https://issues.apache.org/jira/browse/IMPALA-10484
Project: IMPALA
Issue Type: New Feature
Components: Security
Affects Versions: Impala 4.0
Reporter: Quanlong Huang
This is a follow-up for IMPALA-9234. Row-filtering policies are applied as the WHERE clause of the table masking view of the base table/view. E.g. if table "tblA" contains a row-filtering policy "id=0", the original query "{{select * from tblA join tblB on (id)}}" will be analyzed as
{code:sql}
select * from (
select col1, col2, ..., colN from tblA where id = 0
) v join tblB on (id)
{code}
Tables containing complex types are more complex in analyzing. Let's say "tblA" contains two columns:
||id int||int_array array<int>||
|0|[1,2,3]|
|1|[4,5]|
The following queries gets all items of the array column:
{code:sql}
-- Good for applying table masking view on tblA
select a.item from tblA t, t.int_array a;
-- Hard to apply table masking view on tblA
select item from tblA.int_array;
{code}
The second query uses unrelated collection column directly. So we can't apply the row-filtering policies on the base table. This will leak data, so IMPALA-9234 forbids them.
We can support this by rewritting the second query to the first one. Luckily, we already have a rewritter containing this ability: {{AcidRewriter}} in {{StmtRewriter}}. With some refactor it can be reused. However, there is a bug (IMPALA-10482) needs to be fixed first.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)