You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/01/20 23:11:00 UTC

[jira] [Issue Comment Deleted] (IMPALA-10415) SHOW GRANT statement should perform a check for requesting user

     [ https://issues.apache.org/jira/browse/IMPALA-10415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Quanlong Huang updated IMPALA-10415:
------------------------------------
    Comment: was deleted

(was: Similar with IMPALA-1130 but the error details are different. Current error is:
{code:java}
[localhost:21050] default> select 'รจ'
                         > ;
Traceback (most recent call last):
  File "/home/quanlong/workspace/Impala/shell/impala_shell.py", line 2063, in <module>
    impala_shell_main()
  File "/home/quanlong/workspace/Impala/shell/impala_shell.py", line 2028, in impala_shell_main
    shell.cmdloop(intro)
  File "/home/quanlong/workspace/Impala/toolchain/toolchain-packages-gcc7.5.0/python-2.7.16/lib/python2.7/cmd.py", line 141, in cmdloop
    line = self.precmd(line)
  File "/home/quanlong/workspace/Impala/shell/impala_shell.py", line 632, in precmd
    args = self.sanitise_input(args.decode('utf-8'))  # python2
  File "/home/quanlong/workspace/Impala/shell/impala_shell.py", line 436, in sanitise_input
    tokens = args.strip().split(' ')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 8: ordinal not in range(128)
{code}
I also verified that impala-3.4 doesn't have this issue. So maybe some changes in impala-4.0 cause this.)

> SHOW GRANT statement should perform a check for requesting user
> ---------------------------------------------------------------
>
>                 Key: IMPALA-10415
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10415
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Frontend, Security
>            Reporter: Quanlong Huang
>            Assignee: Fang-Yu Rao
>            Priority: Major
>              Labels: backwards-compatibility, security
>
> We found that the {{SHOW GRANT}} statement does not really perform a check for the requesting user to determine whether the requesting user is authorized to access the result. Specifically, there is no such check in [RangerImpaladAuthorizationManager#getPrivileges()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java#L340-L403].
> Recall that such a check was performed when we were using Sentry as the authorization provider. Refer to [SentryImpaladAuthorizationManager#getPrivileges()|https://gerrit.cloudera.org/c/15833/8/fe/src/main/java/org/apache/impala/authorization/sentry/SentryImpaladAuthorizationManager.java#b203].
> Such an issue is partly due to the fact that we do not have a dedicated Ranger API to check whether a user is a Ranger administrator, which is also currently tracked at [RANGER-3127|https://issues.apache.org/jira/browse/RANGER-3127].



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org