You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Kurt Deschler (Jira)" <ji...@apache.org> on 2019/09/11 16:07:00 UTC
[jira] [Work started] (IMPALA-8933) Ranger column deny policies not
respected under certain circumstances
[ https://issues.apache.org/jira/browse/IMPALA-8933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on IMPALA-8933 started by Kurt Deschler.
---------------------------------------------
> Ranger column deny policies not respected under certain circumstances
> ---------------------------------------------------------------------
>
> Key: IMPALA-8933
> URL: https://issues.apache.org/jira/browse/IMPALA-8933
> Project: IMPALA
> Issue Type: Bug
> Components: Security
> Affects Versions: Impala 3.4.0
> Reporter: Kurt Deschler
> Assignee: Kurt Deschler
> Priority: Major
> Labels: ranger
>
> Ranger authorization checker missed a case of handling column level deny policies for select and insert statements. This issue causes the policies to not be enforced and can allow unintended access to protected columns.
> Steps to Repro:
> Connect impala-shell as admin:
> CREATE table(c1 int, c2 int);
> INSERT INTO T1 VALUES(1,1);
> In Ranger:
> Add policies:
> 1) Name t1allow, Database *, Table t1,
> Allow conditions user: <unix login>, Permissions: select
> 2) Name t1deny, Database *, Table t1,
> Deny conditions user: <unix login>, Permissions: select
> Connect impala-shell as <unix login>:
> SELECT c1 from t1; -- Not allowed
> SELECT c2 from t1; -- Allowed
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org