You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/02/08 03:16:00 UTC
[jira] [Created] (IMPALA-10483) Support
column-masking/row-filtering policy expressions that contain subqueries
Quanlong Huang created IMPALA-10483:
---------------------------------------
Summary: Support column-masking/row-filtering policy expressions that contain subqueries
Key: IMPALA-10483
URL: https://issues.apache.org/jira/browse/IMPALA-10483
Project: IMPALA
Issue Type: New Feature
Components: Security
Reporter: Quanlong Huang
Row-filtering policies are applied as the WHERE clause of the table masking view of the base table/view. E.g. if table "tblA" contains a row-filtering policy "id=0", the original query "{{select * from tblA join tblB on (id)}}" will be analyzed as
{code:sql}
select * from (
select col1, col2, ..., colN from tblA where id = 0
) v join tblB on (id)
{code}
The row-filtering policy expression can also use subqueries, e.g. "{{id = (select min(id) from tblC)}}". However, if the WHERE clause introduces subqueries, it will introduce new tables whose metadata is not loaded in Analyzer's StmtTableCache. So the Analyzer will fail to resolve them and raise AuthorizationExceptions complaining user doesn't have privilege to SELECT those tables.
One solution is collecting tables introduced by subqueries of Column-masking/Row-filtering expressions and also load them in {{StmtMetadataLoader#loadTables()}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)