You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/01/16 11:40:00 UTC
[jira] [Commented] (IMPALA-10986) Specific privilege should be required to execute a UDF in Impala
[ https://issues.apache.org/jira/browse/IMPALA-10986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17677334#comment-17677334 ]
ASF subversion and git services commented on IMPALA-10986:
----------------------------------------------------------
Commit ed91dc69a16d764093b84ba65452259c49e9f34e in impala's branch refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=ed91dc69a ]
IMPALA-10986 (Addendum): Add and refactor some E2E tests
This patch adds an additional test case in test_select_function to
verify Impala's behavior when a user tries to execute a UDF in an INSERT
statement. Moreover, some test functions added in IMPALA-10986 are
refactored according to reviewers' suggestion.
Change-Id: Ieb4f69934401a745da66a983528a7a3679279c28
Reviewed-on: http://gerrit.cloudera.org:8080/19394
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
> Specific privilege should be required to execute a UDF in Impala
> ----------------------------------------------------------------
>
> Key: IMPALA-10986
> URL: https://issues.apache.org/jira/browse/IMPALA-10986
> Project: IMPALA
> Issue Type: Bug
> Affects Versions: Impala 4.0.0
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
> Attachments: ranger_policy_for_udfs_impala.png
>
>
> We found that currently in Impala, to execute a UDF, a user only has to be granted one of the 3 privileges in {{{}INSERT{}}}, {{{}SELECT{}}}, {{REFRESH}} on the database (i.e., the {{VIEW_METADATA}} privilege on the database) where the UDF was created. No additional privilege on the UDF is required. An example of the policy added via Ranger's web UI allowing a user to execute a UDF is also provided here.
> !ranger_policy_for_udfs_impala.png!
> The privilege request of {{VIEW_METADATA}} on the database is registered within [analyzer.getDb(fnName_.getDb(), Privilege.VIEW_METADATA, true)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L557]. This is the reason why the user has to be granted the VIEW_METADATA privilege on the database to be able to execute the UDF.
> Recall that the registration of the privilege mentioned above occurs in [FunctionCallExpr#analyzeImpl()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L531] where Impala's frontend analyzes the given function in a query.
> I noticed in the same method above at [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java#L535], Impala is able to determine whether the current function is a UDF or not. Thus it seems that to fix the problem, we need to additionally register the corresponding privilege request for a UDF (v.s. a built-in function) other than the {{VIEW_METADATA}} privilege on the database.
> We should thus provide a fix for the issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org