You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Adam Holley (Code Review)" <ge...@cloudera.org> on 2018/10/01 18:23:55 UTC
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Adam Holley has uploaded this change for review. ( http://gerrit.cloudera.org:8080/11553
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
This patch fixes the SHOW GRANT USER statement to properly check
that the requesting user short name matches the name in the
SHOW GRANT USER statement to determine whether or not an admin
check is required for showing the privileges. Previous to this
patch, the full kerberos user name, e.g. foo_user@REALM was
compared against "SHOW GRANT USER foo_user" and did not match
do admin privileges were required.
Testing:
- Ran all fe and custom cluster tests.
- Validated against kerberized cluster.
Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
---
M fe/src/main/java/org/apache/impala/service/Frontend.java
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/53/11553/1
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
Patch Set 1:
Build Successful
https://jenkins.impala.io/job/gerrit-code-review-checks/879/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Mon, 01 Oct 2018 19:00:33 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Adam Holley (Code Review)" <ge...@cloudera.org>.
Adam Holley has posted comments on this change. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
Patch Set 1:
The effective user there, get converted to a shortName in SentryPolicyService.listAllRoles() method.
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Mon, 01 Oct 2018 19:02:15 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Fredy Wijaya (Code Review)" <ge...@cloudera.org>.
Fredy Wijaya has posted comments on this change. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
Patch Set 1: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Mon, 01 Oct 2018 19:12:11 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
Patch Set 1: Verified+1
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Mon, 01 Oct 2018 22:48:45 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Fredy Wijaya (Code Review)" <ge...@cloudera.org>.
Fredy Wijaya has posted comments on this change. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
Patch Set 1:
> Patch Set 1:
>
> (1 comment)
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/service/JniCatalog.java#L294-L295 uses requesting_user. We just need to double check to make sure we don't break anything here.
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Mon, 01 Oct 2018 18:52:54 +0000
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Fredy Wijaya (Code Review)" <ge...@cloudera.org>.
Fredy Wijaya has posted comments on this change. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
Patch Set 1:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/11553/1/fe/src/main/java/org/apache/impala/service/Frontend.java
File fe/src/main/java/org/apache/impala/service/Frontend.java:
http://gerrit.cloudera.org:8080/#/c/11553/1/fe/src/main/java/org/apache/impala/service/Frontend.java@511
PS1, Line 511: analysis.getAnalyzer().getUser().getShortName());
Can we check any code that uses getUser().getName()?
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Mon, 01 Oct 2018 18:35:45 +0000
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Adam Holley (Code Review)" <ge...@cloudera.org>.
Adam Holley has posted comments on this change. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
Patch Set 1:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/11553/1/fe/src/main/java/org/apache/impala/service/Frontend.java
File fe/src/main/java/org/apache/impala/service/Frontend.java:
http://gerrit.cloudera.org:8080/#/c/11553/1/fe/src/main/java/org/apache/impala/service/Frontend.java@511
PS1, Line 511: analysis.getAnalyzer().getUser().getShortName());
> Can we check any code that uses getUser().getName()?
Validated other usages. Exceptions, trace, and tests which should retain name.
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Mon, 01 Oct 2018 18:40:58 +0000
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
This patch fixes the SHOW GRANT USER statement to properly check
that the requesting user short name matches the name in the
SHOW GRANT USER statement to determine whether or not an admin
check is required for showing the privileges. Previous to this
patch, the full kerberos user name, e.g. foo_user@REALM was
compared against "SHOW GRANT USER foo_user" and did not match
do admin privileges were required.
Testing:
- Ran all fe and custom cluster tests.
- Validated against kerberized cluster.
Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Reviewed-on: http://gerrit.cloudera.org:8080/11553
Reviewed-by: Fredy Wijaya <fw...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
M fe/src/main/java/org/apache/impala/service/Frontend.java
1 file changed, 1 insertion(+), 1 deletion(-)
Approvals:
Fredy Wijaya: Looks good to me, approved
Impala Public Jenkins: Verified
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 2
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
[Impala-ASF-CR] IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/11553 )
Change subject: IMPALA-7646: SHOW GRANT USER does not work for kerberos cluster
......................................................................
Patch Set 1:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/3253/ DRY_RUN=false
--
To view, visit http://gerrit.cloudera.org:8080/11553
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Iba4c627b72c8cbc323be25917698a75d153afd31
Gerrit-Change-Number: 11553
Gerrit-PatchSet: 1
Gerrit-Owner: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ah...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fw...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Comment-Date: Mon, 01 Oct 2018 19:12:38 +0000
Gerrit-HasComments: No