You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2021/07/12 14:12:00 UTC
[jira] [Updated] (IMPALA-10300) Investigate the need for checking
the privilege on server when creating a Kudu table with property of
kudu.master_addresses
[ https://issues.apache.org/jira/browse/IMPALA-10300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Quanlong Huang updated IMPALA-10300:
------------------------------------
Fix Version/s: (was: Impala 4.0)
> Investigate the need for checking the privilege on server when creating a Kudu table with property of kudu.master_addresses
> ---------------------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-10300
> URL: https://issues.apache.org/jira/browse/IMPALA-10300
> Project: IMPALA
> Issue Type: Improvement
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> We found that based on the default Ranger policies loaded by {{$IMPALA_HOME/testdata/bin/create-load-data.sh}}, the following query would result in an {{AuthorizationException}}.
> {noformat}
> CREATE TABLE `kudu_table` (
> `id` BIGINT,
> `name` STRING, primary key(id)
> )
> STORED AS KUDU
> TBLPROPERTIES(
> 'kudu.master_addresses' = 'localhost'
> );
> {noformat}
> According to the error message, the requesting user does not have the necessary privileges on "{{server1}}", where "{{server1}}" is part of the input arguments we use to start {{impalad}}'s and {{catalogd}} in an authorization-enabled cluster.
> However, if we do not explicitly add the table property of '{{kudu.master_addresses}}', the query could be performed without any error and the result returned for the query of "{{SHOW CREATE TABLE kudu_table}}" would still contain the property of "{{'kudu.master_addresses'='localhost'}}".
> Hence, it would be good to figure out whether the check of the privileges on {{server1}} is really necessary and whether the check could be waived if the explicitly specified 'kudu.master_addresses' happens to be the default value, i.e., "localhost" in this case. Notice that in order for a query with an explicitly specified '{{kudu.master_addresses}}' property, we have to add the requesting user in the the policies of 1) {{all - database, table, column}}, 2) {{all - database, udf}}, and 3) {{all - url}}, which seems to grant too many privileges than necessary to the requesting user since in this case, the requesting user would be able to perform any operations on {{server1}} in Impala.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org