You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by kw...@apache.org on 2019/05/05 04:32:48 UTC
[impala] 01/04: IMPALA-8472: Fix the refresh privilege workaround
in Ranger
This is an automated email from the ASF dual-hosted git repository.
kwho pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 1423122945a901792c205d1532593f36c5fd2f87
Author: Fredy Wijaya <fw...@cloudera.com>
AuthorDate: Fri May 3 08:06:31 2019 -0700
IMPALA-8472: Fix the refresh privilege workaround in Ranger
This patch fixes the refresh privilege workaround with the one properly
defined in Ranger (see RANGER-2374).
Testing:
- Ran all FE tests
- Ran all E2E authorization tests
Change-Id: Ica8216353b10ad7366a2b5b7b7d86a4e0af844f8
Reviewed-on: http://gerrit.cloudera.org:8080/13229
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
.../impala/authorization/ranger/RangerAuthorizationChecker.java | 5 -----
.../authorization/ranger/RangerCatalogdAuthorizationManager.java | 4 ----
tests/authorization/test_ranger.py | 3 +++
3 files changed, 3 insertions(+), 9 deletions(-)
diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
index 1a0f2df..b938bee 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
@@ -57,7 +57,6 @@ public class RangerAuthorizationChecker extends AuthorizationChecker {
// These are Ranger access types (privileges).
public static final String UPDATE_ACCESS_TYPE = "update";
- public static final String REFRESH_ACCESS_TYPE = "read";
public static final String SELECT_ACCESS_TYPE = "select";
private final RangerDefaultAuditHandler auditHandler_;
@@ -266,10 +265,6 @@ public class RangerAuthorizationChecker extends AuthorizationChecker {
} else if (privilege == Privilege.INSERT) {
// Ranger plugin for Hive considers INSERT to be UPDATE.
accessType = UPDATE_ACCESS_TYPE;
- } else if (privilege == Privilege.REFRESH) {
- // TODO: this is a hack. It will need to be fixed once refresh is added into Hive
- // service definition.
- accessType = REFRESH_ACCESS_TYPE;
} else {
accessType = privilege.name().toLowerCase();
}
diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
index 87ca927..ad7d02d 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
@@ -277,10 +277,6 @@ public class RangerCatalogdAuthorizationManager implements AuthorizationManager
if (level == TPrivilegeLevel.INSERT) {
request.getAccessTypes().add(RangerAuthorizationChecker.UPDATE_ACCESS_TYPE);
- } else if (level == TPrivilegeLevel.REFRESH) {
- // TODO: this is a hack. It will need to be fixed once refresh is added into Hive
- // service definition.
- request.getAccessTypes().add(RangerAuthorizationChecker.REFRESH_ACCESS_TYPE);
} else {
request.getAccessTypes().add(level.name().toLowerCase());
}
diff --git a/tests/authorization/test_ranger.py b/tests/authorization/test_ranger.py
index b1e62c1..b66cc58 100644
--- a/tests/authorization/test_ranger.py
+++ b/tests/authorization/test_ranger.py
@@ -214,16 +214,19 @@ class TestRanger(CustomClusterTestSuite):
["USER", user, "", "", "", "*", "", "create", "false"],
["USER", user, "", "", "", "*", "", "drop", "false"],
["USER", user, "", "", "", "*", "", "insert", "false"],
+ ["USER", user, "", "", "", "*", "", "refresh", "false"],
["USER", user, "", "", "", "*", "", "select", "false"],
["USER", user, "*", "", "", "", "*", "alter", "false"],
["USER", user, "*", "", "", "", "*", "create", "false"],
["USER", user, "*", "", "", "", "*", "drop", "false"],
["USER", user, "*", "", "", "", "*", "insert", "false"],
+ ["USER", user, "*", "", "", "", "*", "refresh", "false"],
["USER", user, "*", "", "", "", "*", "select", "false"],
["USER", user, "*", "*", "*", "", "", "alter", "false"],
["USER", user, "*", "*", "*", "", "", "create", "false"],
["USER", user, "*", "*", "*", "", "", "drop", "false"],
["USER", user, "*", "*", "*", "", "", "insert", "false"],
+ ["USER", user, "*", "*", "*", "", "", "refresh", "false"],
["USER", user, "*", "*", "*", "", "", "select", "false"]])
admin_client.execute("grant all on server to user {0}".format(user))