You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/03/28 07:06:00 UTC
[jira] [Commented] (IMPALA-8225) Implement GRANT/REVOKE privilege
to USER
[ https://issues.apache.org/jira/browse/IMPALA-8225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803641#comment-16803641 ]
ASF subversion and git services commented on IMPALA-8225:
---------------------------------------------------------
Commit 5578ccca154712b45bc472252e132e389a75d6c2 in impala's branch refs/heads/master from Austin Nobis
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=5578ccc ]
IMPALA-8225: Add Ranger support for grant/revoke privilege to/from user
This patch adds support for GRANT privilege statements to USER and
REVOKE privilege statements from USER. The RangerAuthorizationManager
class has been created and will throw UnsupportedOperationException when
an unimplemented method is called. The grammar has been updated to
support FROM USER and TO USER for GRANT/REVOKE statements. Previously,
privileges could be granted to a ROLE via GRANT/REVOKE statements even
when the ROLE keyword was omitted, i.e:
GRANT <privilege> ON <resource> TO <role>
This is still the case for ROLE based authorization to preserve backward
compatibility, but Ranger will throw an exception when a GRANT/REVOKE
statement excludes the USER keyword. The syntax for the new statement is:
GRANT <privilege> ON <resource> TO USER <user>
REVOKE <privilege> ON <resource> FROM USER <user>
Sentry does not support grant/revoke to/from user.
Testing:
- An additional end to end test, test_ranger.py, was added. A single test
was added that grants and revokes for a user and asserts permissions on
a table. The test uses sleep statements to work with Ranger's polling
interval for policy changes. More end to end tests will be added in the
future when the refresh authorization statement works properly with
Ranger.
- AuthorizationStmtTest has been refactored to use the new
RangerCatalogdAuthorizationManager grant/revoke methods for better
test coverage.
- Ran all FE tests
- Ran all E2E authorization tests
Change-Id: I6ee97bf41546d63385026c0e2b19545565402462
Reviewed-on: http://gerrit.cloudera.org:8080/12769
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
> Implement GRANT/REVOKE privilege to USER
> ----------------------------------------
>
> Key: IMPALA-8225
> URL: https://issues.apache.org/jira/browse/IMPALA-8225
> Project: IMPALA
> Issue Type: Sub-task
> Components: Catalog, Frontend
> Reporter: Fredy Wijaya
> Assignee: Austin Nobis
> Priority: Major
>
> Ranger supports granting/revoking a privilege to a user directly. Only admin should be able to do a grant/revoke.
> Syntax:
> {noformat}
> GRANT <privilege> ON <object> TO USER <user>
> REVOKE <privilege> ON <object> FROM USER <user>
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org