You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/07/12 14:12:00 UTC

[jira] [Updated] (IMPALA-10300) Investigate the need for checking the privilege on server when creating a Kudu table with property of kudu.master_addresses

     [ https://issues.apache.org/jira/browse/IMPALA-10300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Quanlong Huang updated IMPALA-10300:
------------------------------------
    Fix Version/s:     (was: Impala 4.0)

> Investigate the need for checking the privilege on server when creating a Kudu table with property of kudu.master_addresses
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-10300
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10300
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Frontend
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> We found that based on the default Ranger policies loaded by {{$IMPALA_HOME/testdata/bin/create-load-data.sh}}, the following query would result in an {{AuthorizationException}}.
> {noformat}
> CREATE TABLE `kudu_table` (
> `id` BIGINT,
> `name` STRING, primary key(id)
> )
> STORED AS KUDU
> TBLPROPERTIES(
>   'kudu.master_addresses' = 'localhost'
> );
> {noformat}
> According to the error message, the requesting user does not have the necessary privileges on "{{server1}}", where "{{server1}}" is part of the input arguments we use to start {{impalad}}'s and {{catalogd}} in an authorization-enabled cluster.
> However, if we do not explicitly add the table property of '{{kudu.master_addresses}}', the query could be performed without any error and the result returned for the query of "{{SHOW CREATE TABLE kudu_table}}" would still contain the property of "{{'kudu.master_addresses'='localhost'}}".
> Hence, it would be good to figure out whether the check of the privileges on {{server1}} is really necessary and whether the check could be waived if the explicitly specified 'kudu.master_addresses' happens to be the default value, i.e., "localhost" in this case. Notice that in order for a query with an explicitly specified '{{kudu.master_addresses}}' property, we have to add the requesting user in the the policies of 1) {{all - database, table, column}}, 2) {{all - database, udf}}, and 3) {{all - url}}, which seems to grant too many privileges than necessary to the requesting user since in this case, the requesting user would be able to perform any operations on {{server1}} in Impala.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org