You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by kw...@apache.org on 2019/05/05 04:32:48 UTC

[impala] 01/04: IMPALA-8472: Fix the refresh privilege workaround in Ranger

This is an automated email from the ASF dual-hosted git repository.

kwho pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit 1423122945a901792c205d1532593f36c5fd2f87
Author: Fredy Wijaya <fw...@cloudera.com>
AuthorDate: Fri May 3 08:06:31 2019 -0700

    IMPALA-8472: Fix the refresh privilege workaround in Ranger
    
    This patch fixes the refresh privilege workaround with the one properly
    defined in Ranger (see RANGER-2374).
    
    Testing:
    - Ran all FE tests
    - Ran all E2E authorization tests
    
    Change-Id: Ica8216353b10ad7366a2b5b7b7d86a4e0af844f8
    Reviewed-on: http://gerrit.cloudera.org:8080/13229
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
 .../impala/authorization/ranger/RangerAuthorizationChecker.java      | 5 -----
 .../authorization/ranger/RangerCatalogdAuthorizationManager.java     | 4 ----
 tests/authorization/test_ranger.py                                   | 3 +++
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
index 1a0f2df..b938bee 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
@@ -57,7 +57,6 @@ public class RangerAuthorizationChecker extends AuthorizationChecker {
 
   // These are Ranger access types (privileges).
   public static final String UPDATE_ACCESS_TYPE = "update";
-  public static final String REFRESH_ACCESS_TYPE = "read";
   public static final String SELECT_ACCESS_TYPE = "select";
 
   private final RangerDefaultAuditHandler auditHandler_;
@@ -266,10 +265,6 @@ public class RangerAuthorizationChecker extends AuthorizationChecker {
     } else if (privilege == Privilege.INSERT) {
       // Ranger plugin for Hive considers INSERT to be UPDATE.
       accessType = UPDATE_ACCESS_TYPE;
-    } else if (privilege == Privilege.REFRESH) {
-      // TODO: this is a hack. It will need to be fixed once refresh is added into Hive
-      // service definition.
-      accessType = REFRESH_ACCESS_TYPE;
     } else {
       accessType = privilege.name().toLowerCase();
     }
diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
index 87ca927..ad7d02d 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
@@ -277,10 +277,6 @@ public class RangerCatalogdAuthorizationManager implements AuthorizationManager
 
     if (level == TPrivilegeLevel.INSERT) {
       request.getAccessTypes().add(RangerAuthorizationChecker.UPDATE_ACCESS_TYPE);
-    } else if (level == TPrivilegeLevel.REFRESH) {
-      // TODO: this is a hack. It will need to be fixed once refresh is added into Hive
-      // service definition.
-      request.getAccessTypes().add(RangerAuthorizationChecker.REFRESH_ACCESS_TYPE);
     } else {
       request.getAccessTypes().add(level.name().toLowerCase());
     }
diff --git a/tests/authorization/test_ranger.py b/tests/authorization/test_ranger.py
index b1e62c1..b66cc58 100644
--- a/tests/authorization/test_ranger.py
+++ b/tests/authorization/test_ranger.py
@@ -214,16 +214,19 @@ class TestRanger(CustomClusterTestSuite):
         ["USER", user, "", "", "", "*", "", "create", "false"],
         ["USER", user, "", "", "", "*", "", "drop", "false"],
         ["USER", user, "", "", "", "*", "", "insert", "false"],
+        ["USER", user, "", "", "", "*", "", "refresh", "false"],
         ["USER", user, "", "", "", "*", "", "select", "false"],
         ["USER", user, "*", "", "", "", "*", "alter", "false"],
         ["USER", user, "*", "", "", "", "*", "create", "false"],
         ["USER", user, "*", "", "", "", "*", "drop", "false"],
         ["USER", user, "*", "", "", "", "*", "insert", "false"],
+        ["USER", user, "*", "", "", "", "*", "refresh", "false"],
         ["USER", user, "*", "", "", "", "*", "select", "false"],
         ["USER", user, "*", "*", "*", "", "", "alter", "false"],
         ["USER", user, "*", "*", "*", "", "", "create", "false"],
         ["USER", user, "*", "*", "*", "", "", "drop", "false"],
         ["USER", user, "*", "*", "*", "", "", "insert", "false"],
+        ["USER", user, "*", "*", "*", "", "", "refresh", "false"],
         ["USER", user, "*", "*", "*", "", "", "select", "false"]])
 
       admin_client.execute("grant all on server to user {0}".format(user))