You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by st...@apache.org on 2022/08/30 12:08:08 UTC

[impala] 06/06: IMPALA-11281: Load table metadata for ResetMetadataStmt

This is an automated email from the ASF dual-hosted git repository.

stigahuang pushed a commit to branch branch-4.1.1
in repository https://gitbox.apache.org/repos/asf/impala.git

commit 5cae46a4bf359c10a657fb4c9e1e8f4e25187c9e
Author: Fang-Yu Rao <fa...@cloudera.com>
AuthorDate: Mon May 23 12:02:26 2022 -0700

    IMPALA-11281: Load table metadata for ResetMetadataStmt
    
    This patch loads the metadata of the table for ResetMetadataStmt if the
    table is not null and Ranger table masking is supported so that the
    information about the columns of the table could be used to check
    whether masking is enabled for any column in the table and thus the
    update operation on a table where there is a masking policy defined on
    any column could be blocked.
    
    Testing:
     - Added an E2E test to verify the update operation on a table by a
       requesting user would be denied if there is a column masking policy
       defined on any column in the table for the requesting user even
       though the table metadata have been invalidated immediately before
       the requesting user attempts to invalidate the table metadata again.
    
    Change-Id: I0c90b413974223886661697f11844d99a68fdebf
    Reviewed-on: http://gerrit.cloudera.org:8080/18561
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
    Reviewed-on: http://gerrit.cloudera.org:8080/18917
    Tested-by: Quanlong Huang <hu...@gmail.com>
    Reviewed-by: Csaba Ringhofer <cs...@cloudera.com>
---
 .../apache/impala/analysis/StmtMetadataLoader.java | 12 ++++++++-
 tests/authorization/test_ranger.py                 | 29 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java b/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
index 5da12183f..9bceee118 100644
--- a/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
+++ b/fe/src/main/java/org/apache/impala/analysis/StmtMetadataLoader.java
@@ -347,7 +347,17 @@ public class StmtMetadataLoader {
   private Set<TableName> collectTableCandidates(StatementBase stmt) {
     Preconditions.checkNotNull(stmt);
     List<TableRef> tblRefs = new ArrayList<>();
-    stmt.collectTableRefs(tblRefs);
+    // The information about whether table masking is supported is not available to
+    // ResetMetadataStmt so we collect the TableRef for ResetMetadataStmt whenever
+    // applicable.
+    if (stmt instanceof ResetMetadataStmt
+        && fe_.getAuthzFactory().getAuthorizationConfig().isEnabled()
+        && fe_.getAuthzFactory().supportsTableMasking()) {
+      TableName tableName = ((ResetMetadataStmt) stmt).getTableName();
+      if (tableName != null) tblRefs.add(new TableRef(tableName.toPath(), null));
+    } else {
+      stmt.collectTableRefs(tblRefs);
+    }
     Set<TableName> tableNames = new HashSet<>();
     for (TableRef ref: tblRefs) {
       tableNames.addAll(Path.getCandidateTables(ref.getPath(), sessionDb_));
diff --git a/tests/authorization/test_ranger.py b/tests/authorization/test_ranger.py
index d0caa7b17..eae23d4c7 100644
--- a/tests/authorization/test_ranger.py
+++ b/tests/authorization/test_ranger.py
@@ -1073,6 +1073,35 @@ class TestRanger(CustomClusterTestSuite):
       for i in range(policy_cnt):
         TestRanger._remove_policy(unique_name + str(i))
 
+  @pytest.mark.execute_serially
+  @CustomClusterTestSuite.with_args(
+    impalad_args=IMPALAD_ARGS, catalogd_args=CATALOGD_ARGS)
+  def test_block_metadata_update(self, vector, unique_name):
+    """Test that the metadata update operation on a table by a requesting user is denied
+       if there exists a column masking policy defined on any column in the table for the
+       requesting user even when the table metadata (e.g., list of columns) have been
+       invalidated immediately before the requesting user tries to invalidate the table
+       metadata again. This test would have failed if we did not load the table metadata
+       for ResetMetadataStmt."""
+    user = getuser()
+    admin_client = self.create_impala_client()
+    non_owner_client = self.create_impala_client()
+    try:
+      TestRanger._add_column_masking_policy(
+          unique_name, user, "functional", "alltypestiny", "id",
+          "CUSTOM", "id * 100")
+      self.execute_query_expect_success(admin_client,
+          "invalidate metadata functional.alltypestiny", user=ADMIN)
+      admin_client.execute("grant all on server to user {0}".format(user))
+      result = self.execute_query_expect_failure(
+          non_owner_client, "invalidate metadata functional.alltypestiny", user=user)
+      assert "User '{0}' does not have privileges to execute " \
+          "'INVALIDATE METADATA/REFRESH' on: functional.alltypestiny".format(user) \
+          in str(result)
+    finally:
+      TestRanger._remove_policy(unique_name)
+      admin_client.execute("revoke all on server from user {0}".format(user))
+
   @pytest.mark.execute_serially
   @CustomClusterTestSuite.with_args(
     impalad_args=IMPALAD_ARGS, catalogd_args=CATALOGD_ARGS)