You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Tim Armstrong (Jira)" <ji...@apache.org> on 2020/01/03 12:05:00 UTC

[jira] [Commented] (IMPALA-9269) Explain on view not allowed with all column granted on the underlying table

    [ https://issues.apache.org/jira/browse/IMPALA-9269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007440#comment-17007440 ] 

Tim Armstrong commented on IMPALA-9269:
---------------------------------------

[~ximz] can you please provide the version that you reproduced this on and the startup flags. E.g. are you using the sentry or ranger authorisation provider. There's not quite enough here for someone to reproduce reliably.



> Explain on view not allowed with all column granted on the underlying table
> ---------------------------------------------------------------------------
>
>                 Key: IMPALA-9269
>                 URL: https://issues.apache.org/jira/browse/IMPALA-9269
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>            Reporter: Xiaomin Zhang
>            Priority: Minor
>
> This issue is initially reported in IMPALA-5998 but was marked as "cannot reproduce". I encountered this exact same issue on the upstream:
> [localhost:21000] default> show current roles;
> Query: show current roles
> +-----------+
> | role_name |
> +-----------+
> | guest |
> +-----------+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> show grant role guest;
> Query: show grant role guest
> +----------+------------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | scope | database | table | column | uri | privilege | grant_option | create_time |
> +----------+------------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | database | _impala_builtins | | | | select | false | Fri, Dec 13 2019 13:45:00.917 |
> | database | default | | | | all | false | Tue, Dec 10 2019 15:43:50.497 |
> | column | tpch | test | c | | select | false | Fri, Dec 13 2019 09:43:21.112 |
> +----------+------------------+-------+--------+-----+-----------+--------------+-------------------------------+
> Fetched 3 row(s) in 0.01s
> [localhost:21000] default> show create table tpch.test;
> Query: show create table tpch.test
> ERROR: AuthorizationException: User 'test' does not have privileges to access: tpch.test
> [localhost:21000] default> select * from tpch.test;
> Query: select * from tpch.test
> Query submitted at: 2019-12-29 15:56:37 (Coordinator: http://dnode:25000)
> Query progress can be monitored at: http://dnode:25000/query_plan?query_id=234e59a328fc8046:e78b625d00000000
> +-----+
> | c |
> +-----+
> | 100 |
> +-----+
> Fetched 1 row(s) in 0.23s
> [localhost:21000] default> create view test_view as select * from tpch.test;
> Query: create view test_view as select * from tpch.test
> Query submitted at: 2019-12-29 15:57:02 (Coordinator: http://dnode:25000)
> Query progress can be monitored at: http://dnode:25000/query_plan?query_id=ee48927ef97bdc09:1ec2396100000000
> +------------------------+
> | summary |
> +------------------------+
> | View has been created. |
> +------------------------+
> Fetched 1 row(s) in 0.12s
> [localhost:21000] default> select * from test_view;
> Query: select * from test_view
> Query submitted at: 2019-12-29 15:57:07 (Coordinator: http://dnode:25000)
> Query progress can be monitored at: http://dnode:25000/query_plan?query_id=5742d31eee7501ab:2945693500000000
> +-----+
> | c |
> +-----+
> | 100 |
> +-----+
> Fetched 1 row(s) in 5.40s
> [localhost:21000] default> explain select * from test_view;
> Query: explain select * from test_view
> ERROR: AuthorizationException: User 'test' does not have privileges to EXPLAIN this statement.
>  
> [localhost:21000] default> show create view test_view;
> Query: show create view test_view
> ERROR: AuthorizationException: User 'test' does not have privileges to see the definition of view 'default.test_view'.
> I think there are 2 issues here:
> 1) User could not see the VIEW definition after creating it
> 2) User could not explain the VIEW, even with all columns granted 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org