You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/09/11 13:07:00 UTC

[jira] [Commented] (IMPALA-8933) Ranger column deny policies not respected under certain circumstances

    [ https://issues.apache.org/jira/browse/IMPALA-8933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16927544#comment-16927544 ] 

ASF subversion and git services commented on IMPALA-8933:
---------------------------------------------------------

Commit b37dd05e8f35bba5d9126ef79b35c1831f966f1b in impala's branch refs/heads/master from Kurt Deschler
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=b37dd05 ]

IMPALA-8933: Enforce ranger deny policy

This patch fixes a case where access to a given column is allowed at the
table level by a ranger policy and denied at the column level by a
second ranger policy. The code previously skipped evaluating column
level policies when a table level policy allowed access but that
optimization can only be applied when the column level policy does not
deny access.

Testing:
- Manually tested with table level allow and column level deny policies
  in ranger
- Ran ranger-specific authorization funcional and unit tests

Steps to Repro:
Connect impala-shell as admin:
  CREATE table(c1 int, c2 int);
  INSERT INTO T1 VALUES(1,1);
In Ranger:
  Add policies:
    1) Name t1allow, Database *, Table t1,
        Allow conditions user: <unix login>, Permissions: select
    2) Name t1deny, Database *, Table t1,
        Deny conditions user: <unix login>, Permissions: select
Connect impala-shell as <unix login>:
  SELECT c1 from t1; -- Not allowed
  SELECT c2 from t1; -- Allowed

Change-Id: Ic60786cd81080feeb0bfcd92aa2be646ee8cb7da
Reviewed-on: http://gerrit.cloudera.org:8080/14203
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Ranger column deny policies not respected under certain circumstances
> ---------------------------------------------------------------------
>
>                 Key: IMPALA-8933
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8933
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: Impala 3.4.0
>            Reporter: Kurt Deschler
>            Assignee: Kurt Deschler
>            Priority: Major
>              Labels: ranger
>




--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org