You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2020/10/28 04:58:00 UTC

[jira] [Created] (IMPALA-10300) Investigate the need for checking the privilege on server when creating a Kudu table with property of kudu.master_addresses

Fang-Yu Rao created IMPALA-10300:
------------------------------------

             Summary: Investigate the need for checking the privilege on server when creating a Kudu table with property of kudu.master_addresses
                 Key: IMPALA-10300
                 URL: https://issues.apache.org/jira/browse/IMPALA-10300
             Project: IMPALA
          Issue Type: Improvement
          Components: Frontend
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao
             Fix For: Impala 4.0


We found that based on the default Ranger policies loaded by {{$IMPALA_HOME/testdata/bin/create-load-data.sh}}, the following query would result in an {{AuthorizationException}}.
{noformat}
CREATE TABLE `kudu_table` (
`id` BIGINT,
`name` STRING, primary key(id)
)
STORED AS KUDU
TBLPROPERTIES(
  'kudu.master_addresses' = 'localhost'
);
{noformat}
According to the error message, the requesting user does not have the necessary privileges on "{{server1}}", where "{{server1}}" is part of the input arguments we use to start {{impalad}}'s and {{catalogd}} in an authorization-enabled cluster.

However, if we do not explicitly add the table property of '{{kudu.master_addresses}}', the query could be performed without any error and the result returned for the query of "{{SHOW CREATE TABLE kudu_table}}" would still contain the property of "{{'kudu.master_addresses'='localhost'}}".

Hence, it would be good to figure out whether the check of the privileges on {{server1}} is really necessary and whether the check could be waived if the explicitly specified 'kudu.master_addresses' happens to be the default value, i.e., "localhost" in this case. Notice that in order for a query with an explicitly specified '{{kudu.master_addresses}}' property, we have to add the requesting user in the the policies of 1) {{all - database, table, column}}, 2) {{all - database, udf}}, and 3) {{all - url}}, which seems to grant too many privileges than necessary to the requesting user since in this case, the requesting user would be able to perform any operations on {{server1}} in Impala.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)