You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@impala.apache.org by "Fang-Yu Rao (Code Review)" <ge...@cloudera.org> on 2020/01/30 22:05:55 UTC

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Fang-Yu Rao has uploaded this change for review. ( http://gerrit.cloudera.org:8080/15111


Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................

IMPALA-8587: Show inherited privileges with Ranger show grant

Previously when executing a SHOW GRANT statement on a resource with
Ranger authorization enabled, Impala would not show inherited
privileges. For example, consider a user 'foo' with database-level
privileges granted by:

GRANT SELECT ON DATABASE db TO USER foo;

If later on we would like to retrieve the table-level privileges
associated with the user 'foo' by:

SHOW GRANT USER foo ON TABLE db.table;

We would not see any result before this change. After this change, the
related privileges including the inherited privileges with regard to the
specified resource will be shown. In our example described above, we
will see the following result and therefore the result returned by SHOW
GRANT statement is more informative than the case in which only the
privileges on 'db'.'table' were shown. Notice that in the following
returned result, we are also able to know the specified user's
privileges on any other table under the database 'db'.

+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf | privilege | grant_option | create_time   |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER           | foo            | db       | *     | *      |     |     | select    | false        | 1580174954746 |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+

Testing
- Ran all FE tests
- Ran all authorization E2E tests
- Added E2E tests in test_ranger verifying functionality

Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
---
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
M tests/authorization/test_ranger.py
2 files changed, 175 insertions(+), 24 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/11/15111/3
-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 3
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................


Patch Set 5:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/5596/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 5
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Mon, 03 Feb 2020 19:27:32 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................


Patch Set 6: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 6
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Fri, 07 Feb 2020 16:47:23 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................

IMPALA-8587: Show inherited privileges with Ranger show grant

Previously when executing a SHOW GRANT statement on a resource with
Ranger authorization enabled, Impala would not show inherited
privileges. For example, consider a user 'foo' with database-level
privileges granted by:

GRANT SELECT ON DATABASE db TO USER foo;

If later on we would like to retrieve the table-level privileges
associated with the user 'foo' by:

SHOW GRANT USER foo ON TABLE db.table;

We would not see any result before this change. After this change, the
related privileges including the inherited privileges with regard to the
specified resource will be shown. In our example described above, we
will see the following result and therefore the result returned by SHOW
GRANT statement is more informative than the case in which only the
privileges on 'db'.'table' were shown. Notice that in the following
returned result, we are also able to know the specified user's
privileges on any other table under the database 'db'.

+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf | privilege | grant_option | create_time   |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER           | foo            | db       | *     | *      |     |     | select    | false        | 1580174954746 |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+

Testing
- Ran all FE tests
- Ran all authorization E2E tests
- Added E2E tests in test_ranger verifying functionality

Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Reviewed-on: http://gerrit.cloudera.org:8080/15111
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
M tests/authorization/test_ranger.py
2 files changed, 235 insertions(+), 70 deletions(-)

Approvals:
  Impala Public Jenkins: Looks good to me, approved; Verified

-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 7
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Fang-Yu Rao (Code Review)" <ge...@cloudera.org>.

Fang-Yu Rao has uploaded a new patch set (#5). ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................

IMPALA-8587: Show inherited privileges with Ranger show grant

Previously when executing a SHOW GRANT statement on a resource with
Ranger authorization enabled, Impala would not show inherited
privileges. For example, consider a user 'foo' with database-level
privileges granted by:

GRANT SELECT ON DATABASE db TO USER foo;

If later on we would like to retrieve the table-level privileges
associated with the user 'foo' by:

SHOW GRANT USER foo ON TABLE db.table;

We would not see any result before this change. After this change, the
related privileges including the inherited privileges with regard to the
specified resource will be shown. In our example described above, we
will see the following result and therefore the result returned by SHOW
GRANT statement is more informative than the case in which only the
privileges on 'db'.'table' were shown. Notice that in the following
returned result, we are also able to know the specified user's
privileges on any other table under the database 'db'.

+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf | privilege | grant_option | create_time   |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+
| USER           | foo            | db       | *     | *      |     |     | select    | false        | 1580174954746 |
+----------------+----------------+----------+-------+--------+-----+-----+-----------+--------------+---------------+

Testing
- Ran all FE tests
- Ran all authorization E2E tests
- Added E2E tests in test_ranger verifying functionality

Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
---
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
M tests/authorization/test_ranger.py
2 files changed, 235 insertions(+), 70 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/11/15111/5
-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 5
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................


Patch Set 6:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/5303/ DRY_RUN=false


-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 6
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Fri, 07 Feb 2020 16:47:24 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Csaba Ringhofer (Code Review)" <ge...@cloudera.org>.

Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................


Patch Set 3: Code-Review+1

(2 comments)

http://gerrit.cloudera.org:8080/#/c/15111/3/tests/authorization/test_ranger.py
File tests/authorization/test_ranger.py:

http://gerrit.cloudera.org:8080/#/c/15111/3/tests/authorization/test_ranger.py@434
PS3, Line 434:     
nit: Can you change the indentation to +4 in the other _check_privileges calls too?


http://gerrit.cloudera.org:8080/#/c/15111/3/tests/authorization/test_ranger.py@438
PS3, Line 438: 
Can you add another test that adds an ALL privilege, e.g. on table level, and checks whether it masks the other privileges?



-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 3
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Fri, 31 Jan 2020 13:20:59 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Csaba Ringhofer (Code Review)" <ge...@cloudera.org>.

Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................


Patch Set 5: Code-Review+2

Thanks for the changes!


-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 5
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Tue, 04 Feb 2020 09:59:32 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................


Patch Set 3:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/5559/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 3
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Thu, 30 Jan 2020 22:25:30 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8587: Show inherited privileges with Ranger show grant

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/15111 )

Change subject: IMPALA-8587: Show inherited privileges with Ranger show grant
......................................................................


Patch Set 6: Verified+1


-- 
To view, visit http://gerrit.cloudera.org:8080/15111
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ia4e679dc6fcf8d0b0e4e0fc2e9b335e2d8bc0899
Gerrit-Change-Number: 15111
Gerrit-PatchSet: 6
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Kurt Deschler <kd...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Fri, 07 Feb 2020 21:37:19 +0000
Gerrit-HasComments: No