You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2021/01/11 17:02:00 UTC

[jira] [Created] (IMPALA-10434) SHOW GRANT statement should perform a check for requesting user

Fang-Yu Rao created IMPALA-10434:
------------------------------------

             Summary: SHOW GRANT statement should perform a check for requesting user
                 Key: IMPALA-10434
                 URL: https://issues.apache.org/jira/browse/IMPALA-10434
             Project: IMPALA
          Issue Type: Bug
          Components: Frontend, Security
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


We found that the {{SHOW GRANT}} statement does not really perform a check for the requesting user to determine whether the requesting user is authorized to access the result. Specifically, there is no such check in [RangerImpaladAuthorizationManager#getPrivileges()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L340-L403].

Recall that such a check was performed when we were using Sentry as the authorization provider. Refer to [SentryImpaladAuthorizationManager#getPrivileges()|https://gerrit.cloudera.org/c/15833/8/fe/src/main/java/org/apache/impala/authorization/sentry/SentryImpaladAuthorizationManager.java#b203].

Such an issue is partly due to the fact that we do not have a dedicated Ranger API to check whether a user is a Ranger administrator, which is also currently tracked at [RANGER-3127|https://issues.apache.org/jira/browse/RANGER-3127].




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org