You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Quanlong Huang (Code Review)" <ge...@cloudera.org> on 2021/06/07 08:49:40 UTC
[Impala-ASF-CR] IMPALA-10728: Check access privileges inside masking expressions
Hello Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/17550
to look at the new patch set (#2).
Change subject: IMPALA-10728: Check access privileges inside masking expressions
......................................................................
IMPALA-10728: Check access privileges inside masking expressions
Row-filtering/column-masking policies may introduce new expressions or
tables to the original query, e.g. a column-masking policy can reference
other columns that are not used by the original query, a row-filtering
policy can filter rows based on a subquery on other tables.
Previously, we intend to not checking accesses on these expressions and
tables. One reason is that they are hidden and users are not aware of
them. The other reason is the expressions are considered to be evaluated
by the admin (who creates these policies and has access to all
resources). The same for masking policies, i.e. if the hidden tables
have masking policies, those policies are not applied recursively. This
also avoids infinitely recursively masking.
Hive has the same behavior on masking policies. However, Hive does check
access privileges inside the masking expressions. To avoid breaking
users who may have already depended on this, we adjust our behavior to
check access privileges inside the masking expressions as well. Due to
this, audits will also be generated on accessing the additional columns.
Implementation:
Before this patch, we only collect privilege requests when analyzing the
original query. When masking expressions are applied and query rewrite
rules are apply, we re-analyze the AST without collecting privilege
requests. This patch adjusts the behavior to also collect them in the
re-analyzing pass after masking expressions are applied.
Tests
- Add FE tests.
- Adjust existing FE audit test to verify the additional audits.
Change-Id: I772fa2f5d189b1272e8419ed1fb5b34d373d3601
---
M fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java
4 files changed, 103 insertions(+), 33 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/50/17550/2
--
To view, visit http://gerrit.cloudera.org:8080/17550
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I772fa2f5d189b1272e8419ed1fb5b34d373d3601
Gerrit-Change-Number: 17550
Gerrit-PatchSet: 2
Gerrit-Owner: Quanlong Huang <hu...@gmail.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>