You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by st...@apache.org on 2022/08/30 12:08:08 UTC
[impala] 06/06: IMPALA-11281: Load table metadata for ResetMetadataStmt
This is an automated email from the ASF dual-hosted git repository.
stigahuang pushed a commit to branch branch-4.1.1
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 5cae46a4bf359c10a657fb4c9e1e8f4e25187c9e
Author: Fang-Yu Rao <fa...@cloudera.com>
AuthorDate: Mon May 23 12:02:26 2022 -0700
IMPALA-11281: Load table metadata for ResetMetadataStmt
This patch loads the metadata of the table for ResetMetadataStmt if the
table is not null and Ranger table masking is supported so that the
information about the columns of the table could be used to check
whether masking is enabled for any column in the table and thus the
update operation on a table where there is a masking policy defined on
any column could be blocked.
Testing:
- Added an E2E test to verify the update operation on a table by a
requesting user would be denied if there is a column masking policy
defined on any column in the table for the requesting user even
though the table metadata have been invalidated immediately before
the requesting user attempts to invalidate the table metadata again.
Change-Id: I0c90b413974223886661697f11844d99a68fdebf
Reviewed-on: http://gerrit.cloudera.org:8080/18561
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Reviewed-on: http://gerrit.cloudera.org:8080/18917
Tested-by: Quanlong Huang <hu...@gmail.com>
Reviewed-by: Csaba Ringhofer <cs...@cloudera.com>
---
.../apache/impala/analysis/StmtMetadataLoader.java | 12 ++++++++-
tests/authorization/test_ranger.py | 29 ++++++++++++++++++++++
2 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java b/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
index 5da12183f..9bceee118 100644
--- a/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
+++ b/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
@@ -347,7 +347,17 @@ public class StmtMetadataLoader {
private Set<TableName> collectTableCandidates(StatementBase stmt) {
Preconditions.checkNotNull(stmt);
List<TableRef> tblRefs = new ArrayList<>();
- stmt.collectTableRefs(tblRefs);
+ // The information about whether table masking is supported is not available to
+ // ResetMetadataStmt so we collect the TableRef for ResetMetadataStmt whenever
+ // applicable.
+ if (stmt instanceof ResetMetadataStmt
+ && fe_.getAuthzFactory().getAuthorizationConfig().isEnabled()
+ && fe_.getAuthzFactory().supportsTableMasking()) {
+ TableName tableName = ((ResetMetadataStmt) stmt).getTableName();
+ if (tableName != null) tblRefs.add(new TableRef(tableName.toPath(), null));
+ } else {
+ stmt.collectTableRefs(tblRefs);
+ }
Set<TableName> tableNames = new HashSet<>();
for (TableRef ref: tblRefs) {
tableNames.addAll(Path.getCandidateTables(ref.getPath(), sessionDb_));
diff --git a/tests/authorization/test_ranger.py b/tests/authorization/test_ranger.py
index d0caa7b17..eae23d4c7 100644
--- a/tests/authorization/test_ranger.py
+++ b/tests/authorization/test_ranger.py
@@ -1073,6 +1073,35 @@ class TestRanger(CustomClusterTestSuite):
for i in range(policy_cnt):
TestRanger._remove_policy(unique_name + str(i))
+ @pytest.mark.execute_serially
+ @CustomClusterTestSuite.with_args(
+ impalad_args=IMPALAD_ARGS, catalogd_args=CATALOGD_ARGS)
+ def test_block_metadata_update(self, vector, unique_name):
+ """Test that the metadata update operation on a table by a requesting user is denied
+ if there exists a column masking policy defined on any column in the table for the
+ requesting user even when the table metadata (e.g., list of columns) have been
+ invalidated immediately before the requesting user tries to invalidate the table
+ metadata again. This test would have failed if we did not load the table metadata
+ for ResetMetadataStmt."""
+ user = getuser()
+ admin_client = self.create_impala_client()
+ non_owner_client = self.create_impala_client()
+ try:
+ TestRanger._add_column_masking_policy(
+ unique_name, user, "functional", "alltypestiny", "id",
+ "CUSTOM", "id * 100")
+ self.execute_query_expect_success(admin_client,
+ "invalidate metadata functional.alltypestiny", user=ADMIN)
+ admin_client.execute("grant all on server to user {0}".format(user))
+ result = self.execute_query_expect_failure(
+ non_owner_client, "invalidate metadata functional.alltypestiny", user=user)
+ assert "User '{0}' does not have privileges to execute " \
+ "'INVALIDATE METADATA/REFRESH' on: functional.alltypestiny".format(user) \
+ in str(result)
+ finally:
+ TestRanger._remove_policy(unique_name)
+ admin_client.execute("revoke all on server from user {0}".format(user))
+
@pytest.mark.execute_serially
@CustomClusterTestSuite.with_args(
impalad_args=IMPALAD_ARGS, catalogd_args=CATALOGD_ARGS)