You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Fang-Yu Rao (Code Review)" <ge...@cloudera.org> on 2020/05/31 23:52:58 UTC
[Impala-ASF-CR] IMPALA-9341: Check current delegateAdmin value when performing REVOKE
Fang-Yu Rao has uploaded this change for review. ( http://gerrit.cloudera.org:8080/16013
Change subject: IMPALA-9341: Check current delegateAdmin value when performing REVOKE
......................................................................
IMPALA-9341: Check current delegateAdmin value when performing REVOKE
When executing a GRANT or REVOKE statement with Ranger being the
authorization provider, Impala has to prepare a GrantRevokeRequest to
allow Ranger to add/delete the corresponding RangerPolicy or modify the
existing RangerPolicyItem's in the related RangerPolicy. One of the
fields that has to be set in a GrantRevokeRequest is delegateAdmin,
which dictates whether the grantee is allowed to transfer the privilege
on the resource to other principals. Specifically, the field
of delegateAdmin in the updated RangerPolicyItem corresponding to the
grantee would be set to the value of delegateAdmin in the
GrantRevokeRequest prepared by Impala.
Before this patch, when executing a REVOKE statement without the GRANT
OPTION, Impala would set delegateAdmin in the GrantRevokeRequest to
true. This is fine if the privilege to be revoked is the only privilege
that was previously granted to the grantee. However, in the case when
the privilege to be revoked was not granted and there is a
RangerPolicyItem with respect to the other privilege on the same
resource, the grantee actually obtains the permission to transfer the
non-matching privilege afterwards. The root cause of this issue is that
the privileges on the same resource share the same field of
delegateAdmin in the corresponding RangerPolicyItem, a current
limitation of Ranger.
One might be wondering the aforementioned issue could be simply resolved
by always setting the delegateAdmin field in a GrantRevokeRequest to
false for a REVOKE statement without the GRANT OPTION. However, in the
case when the grantee was permitted to transfer the non-matching
privilege, setting delegateAdmin to false in the GrantRevokeRequest
would deprive the grantee of the permission that should not have been
revoked, making it a bit inconvenient for both the administrator and the
grantee since the permission to transfer the non-matching privilege
should be restored afterwards.
This patch attempts to resolve this problem by 1) checking whether or
not there exists a RangerPolicyItem with respect to the same resource
and the grantee such that the delegateAdmin field is set to true and 2)
setting up the delegateAdmin field in the GrantRevokeRequest
accordingly.
Testing:
- Added a test case in test_ranger.py to verify the issue is fixed.
- Verified this patch passes the exhaustive tests in the DEBUG build
except for 3 unrelated E2E tests.
Change-Id: Ib02c51bd15c94c1fb6b1776ecfd7ec3eeafc4e2c
---
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M tests/authorization/test_ranger.py
3 files changed, 134 insertions(+), 26 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/13/16013/1
--
To view, visit http://gerrit.cloudera.org:8080/16013
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib02c51bd15c94c1fb6b1776ecfd7ec3eeafc4e2c
Gerrit-Change-Number: 16013
Gerrit-PatchSet: 1
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
[Impala-ASF-CR] IMPALA-9341: Check current delegateAdmin value when performing REVOKE
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16013 )
Change subject: IMPALA-9341: Check current delegateAdmin value when performing REVOKE
......................................................................
Patch Set 1:
Build Successful
https://jenkins.impala.io/job/gerrit-code-review-checks/6180/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.
--
To view, visit http://gerrit.cloudera.org:8080/16013
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib02c51bd15c94c1fb6b1776ecfd7ec3eeafc4e2c
Gerrit-Change-Number: 16013
Gerrit-PatchSet: 1
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Mon, 01 Jun 2020 00:45:35 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9341: Check current delegateAdmin value when performing REVOKE
Posted by "Fang-Yu Rao (Code Review)" <ge...@cloudera.org>.
Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/16013 )
Change subject: IMPALA-9341: Check current delegateAdmin value when performing REVOKE
......................................................................
Patch Set 1:
Hi Quanlong and Csaba, please review my patch for IMPALA-9341 and let me know if you have any suggestion or comment. Thank you very much!
--
To view, visit http://gerrit.cloudera.org:8080/16013
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib02c51bd15c94c1fb6b1776ecfd7ec3eeafc4e2c
Gerrit-Change-Number: 16013
Gerrit-PatchSet: 1
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>
Gerrit-Comment-Date: Sun, 31 May 2020 23:54:33 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9341: Check current delegateAdmin value when performing REVOKE
Posted by "Fang-Yu Rao (Code Review)" <ge...@cloudera.org>.
Fang-Yu Rao has abandoned this change. ( http://gerrit.cloudera.org:8080/16013 )
Change subject: IMPALA-9341: Check current delegateAdmin value when performing REVOKE
......................................................................
Abandoned
Abandon this patch since we adopt the other approach.
--
To view, visit http://gerrit.cloudera.org:8080/16013
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: abandon
Gerrit-Change-Id: Ib02c51bd15c94c1fb6b1776ecfd7ec3eeafc4e2c
Gerrit-Change-Number: 16013
Gerrit-PatchSet: 1
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>