You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@impala.apache.org by "Fang-Yu Rao (Code Review)" <ge...@cloudera.org> on 2020/01/24 01:43:02 UTC

[Impala-ASF-CR] IMPALA-8587: show grant does not produce correct privileges

Fang-Yu Rao has uploaded a new patch set (#4). ( http://gerrit.cloudera.org:8080/14356 )

Change subject: IMPALA-8587: show grant does not produce correct privileges
......................................................................

IMPALA-8587: show grant does not produce correct privileges

Currently the show grant command cannot produce correct privileges when the
list of resources in a RangerPolicy contains '*', a wildcard denoting all the
possible resources.

For example, when a user 'admin' having 'all' as one of its allowed operations
in a Ranger policy, if the field of 'database' in this RangerPolicy contains
only '*', given a SQL statement 'show grant user admin on database functional',
the current logic in RangerImpaladAuthorizationManager.java would consider that
the user 'admin' does not have any privilege on the database 'functional',
whereas in fact the user 'admin' should have all privileges for each database
on this server.

This patch resolves the issue by taking into consideration the case in which
the field of resources could contain a wildcard when determining whether or not
the name of the resource of interest ('functional' in the example above) is
contained in the list of resources the user ('admin' in the example above) has
privileges on.

Testing:
 - Passed the EE test test_ranger.py.

Change-Id: I8511656fe386a37a66d20e07ce1b875190bc4b65
---
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
M tests/authorization/test_ranger.py
2 files changed, 67 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/56/14356/4
-- 
To view, visit http://gerrit.cloudera.org:8080/14356
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I8511656fe386a37a66d20e07ce1b875190bc4b65
Gerrit-Change-Number: 14356
Gerrit-PatchSet: 4
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <au...@gmail.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fr...@apache.org>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>