You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by cs...@apache.org on 2019/09/11 13:06:44 UTC
[impala] 03/03: IMPALA-8933: Enforce ranger deny policy
This is an automated email from the ASF dual-hosted git repository.
csringhofer pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit b37dd05e8f35bba5d9126ef79b35c1831f966f1b
Author: Kurt Deschler <kd...@cloudera.com>
AuthorDate: Mon Sep 9 19:32:18 2019 -0500
IMPALA-8933: Enforce ranger deny policy
This patch fixes a case where access to a given column is allowed at the
table level by a ranger policy and denied at the column level by a
second ranger policy. The code previously skipped evaluating column
level policies when a table level policy allowed access but that
optimization can only be applied when the column level policy does not
deny access.
Testing:
- Manually tested with table level allow and column level deny policies
in ranger
- Ran ranger-specific authorization funcional and unit tests
Steps to Repro:
Connect impala-shell as admin:
CREATE table(c1 int, c2 int);
INSERT INTO T1 VALUES(1,1);
In Ranger:
Add policies:
1) Name t1allow, Database *, Table t1,
Allow conditions user: <unix login>, Permissions: select
2) Name t1deny, Database *, Table t1,
Deny conditions user: <unix login>, Permissions: select
Connect impala-shell as <unix login>:
SELECT c1 from t1; -- Not allowed
SELECT c2 from t1; -- Allowed
Change-Id: Ic60786cd81080feeb0bfcd92aa2be646ee8cb7da
Reviewed-on: http://gerrit.cloudera.org:8080/14203
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
.../org/apache/impala/authorization/BaseAuthorizationChecker.java | 7 ++++++-
.../org/apache/impala/authorization/ranger/RangerAuditLogTest.java | 4 ++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java b/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
index 15cbb9a..9e171d9 100644
--- a/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
+++ b/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
@@ -231,7 +231,12 @@ public abstract class BaseAuthorizationChecker implements AuthorizationChecker {
} else {
Preconditions.checkState(
request.getAuthorizable().getType() == Authorizable.Type.COLUMN);
- if (hasTableSelectPriv) continue;
+ // In order to support deny policies on columns
+ if (hasTableSelectPriv &&
+ request.getPrivilege() != Privilege.SELECT &&
+ request.getPrivilege() != Privilege.INSERT) {
+ continue;
+ }
if (hasAccess(authzCtx, analyzer.getUser(), request)) {
hasColumnSelectPriv = true;
continue;
diff --git a/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java b/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
index 1f4a6a4..48cbd70 100644
--- a/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
+++ b/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
@@ -102,8 +102,8 @@ public class RangerAuditLogTest extends AuthorizationTestBase {
onUri("hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL));
authzOk(events -> {
- // Only the table event.
- assertEquals(1, events.size());
+ // Table event and 2 column events
+ assertEquals(3, events.size());
assertEventEquals("@table", "select", "functional/alltypes", 1, events.get(0));
assertEquals("select id, string_col from functional.alltypes",
events.get(0).getRequestData());