You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Kurt Deschler (Jira)" <ji...@apache.org> on 2019/09/11 16:06:00 UTC

[jira] [Updated] (IMPALA-8933) Ranger column deny policies not respected under certain circumstances

     [ https://issues.apache.org/jira/browse/IMPALA-8933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kurt Deschler updated IMPALA-8933:
----------------------------------
    Description: 
Ranger authorization checker missed a case of handling column level deny policies for select and insert statements. This issue causes the policies to not be enforced and can allow unintended access to protected columns.


 Steps to Repro:
 Connect impala-shell as admin:
 CREATE table(c1 int, c2 int);
 INSERT INTO T1 VALUES(1,1);
 In Ranger:
 Add policies:
 1) Name t1allow, Database *, Table t1,
 Allow conditions user: <unix login>, Permissions: select
 2) Name t1deny, Database *, Table t1,
 Deny conditions user: <unix login>, Permissions: select
 Connect impala-shell as <unix login>:
 SELECT c1 from t1; -- Not allowed
 SELECT c2 from t1; -- Allowed

> Ranger column deny policies not respected under certain circumstances
> ---------------------------------------------------------------------
>
>                 Key: IMPALA-8933
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8933
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: Impala 3.4.0
>            Reporter: Kurt Deschler
>            Assignee: Kurt Deschler
>            Priority: Major
>              Labels: ranger
>
> Ranger authorization checker missed a case of handling column level deny policies for select and insert statements. This issue causes the policies to not be enforced and can allow unintended access to protected columns.
>  Steps to Repro:
>  Connect impala-shell as admin:
>  CREATE table(c1 int, c2 int);
>  INSERT INTO T1 VALUES(1,1);
>  In Ranger:
>  Add policies:
>  1) Name t1allow, Database *, Table t1,
>  Allow conditions user: <unix login>, Permissions: select
>  2) Name t1deny, Database *, Table t1,
>  Deny conditions user: <unix login>, Permissions: select
>  Connect impala-shell as <unix login>:
>  SELECT c1 from t1; -- Not allowed
>  SELECT c2 from t1; -- Allowed



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org