You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/09/11 13:07:00 UTC
[jira] [Commented] (IMPALA-8933) Ranger column deny policies not
respected under certain circumstances
[ https://issues.apache.org/jira/browse/IMPALA-8933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16927544#comment-16927544 ]
ASF subversion and git services commented on IMPALA-8933:
---------------------------------------------------------
Commit b37dd05e8f35bba5d9126ef79b35c1831f966f1b in impala's branch refs/heads/master from Kurt Deschler
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=b37dd05 ]
IMPALA-8933: Enforce ranger deny policy
This patch fixes a case where access to a given column is allowed at the
table level by a ranger policy and denied at the column level by a
second ranger policy. The code previously skipped evaluating column
level policies when a table level policy allowed access but that
optimization can only be applied when the column level policy does not
deny access.
Testing:
- Manually tested with table level allow and column level deny policies
in ranger
- Ran ranger-specific authorization funcional and unit tests
Steps to Repro:
Connect impala-shell as admin:
CREATE table(c1 int, c2 int);
INSERT INTO T1 VALUES(1,1);
In Ranger:
Add policies:
1) Name t1allow, Database *, Table t1,
Allow conditions user: <unix login>, Permissions: select
2) Name t1deny, Database *, Table t1,
Deny conditions user: <unix login>, Permissions: select
Connect impala-shell as <unix login>:
SELECT c1 from t1; -- Not allowed
SELECT c2 from t1; -- Allowed
Change-Id: Ic60786cd81080feeb0bfcd92aa2be646ee8cb7da
Reviewed-on: http://gerrit.cloudera.org:8080/14203
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
> Ranger column deny policies not respected under certain circumstances
> ---------------------------------------------------------------------
>
> Key: IMPALA-8933
> URL: https://issues.apache.org/jira/browse/IMPALA-8933
> Project: IMPALA
> Issue Type: Bug
> Components: Security
> Affects Versions: Impala 3.4.0
> Reporter: Kurt Deschler
> Assignee: Kurt Deschler
> Priority: Major
> Labels: ranger
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org