You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Quanlong Huang (Jira)" <ji...@apache.org> on 2022/08/25 01:33:00 UTC
[jira] [Resolved] (IMPALA-11281) Consider loading the table metadata for a ResetMetadataStmt
[ https://issues.apache.org/jira/browse/IMPALA-11281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Quanlong Huang resolved IMPALA-11281.
-------------------------------------
Fix Version/s: Impala 4.2.0
Resolution: Fixed
Resolving this. There is a follow-up item tracked in IMPALA-11501. Thank [~fangyurao] !
> Consider loading the table metadata for a ResetMetadataStmt
> -----------------------------------------------------------
>
> Key: IMPALA-11281
> URL: https://issues.apache.org/jira/browse/IMPALA-11281
> Project: IMPALA
> Issue Type: Bug
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
> Fix For: Impala 4.2.0
>
>
> Currently when a {{ResetMetadataStmt}} that has a non-null '{{tableName_}}' is being analyzed, we do not add its '{{{}tableName_{}}}' to the given '{{{}tblRefs{}}}' in {{collectTableRefs()}} if its '{{{}partitionSpec_{}}}' is null ([https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/ResetMetadataStmt.java#L131]).
> When the metadata of a table is not fully loaded, we won't populate the column names of a table in its corresponding {{AuthorizableTable}} ([https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L227L229]) since the table is an {{{}IncompleteTable{}}}.
> If the column names are not populated in the corresponding {{AuthorizableTable}} of a table in a {{{}ResetMetadataStmt{}}}, then the logic in [RangerAuthorizationChecker#authorizeByTableMasking()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L669-L684] that is supposed to block the metadata update when there are policies defined on the columns could not take effect since in this case [((AuthorizableTable) authorizable).getColumns()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L663] returns an empty list. As a result, such an update would be allowed if there is no other authorization error.
> To reproduce the issue, we could comment out all the test cases in [RangerAuditLogTest#testAuditsForColumnMasking()|https://github.com/apache/impala/blob/master/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java#L261] except for the following one. The following test case would fail since the query "{{{}invalidate metadata functional.alltypestiny{}}}" won't result in any authorization error. This test case could succeed with its previous test cases enabled because in the previous test cases, there is at least one invocation to {{SelectStmt#collectTableRefs()}} that triggers the metadata loading of the table '{{{}functional.alltypestiny{}}}'.
> {code:java}
> // Updates on metadata fails by column-masking policies.
> authzError(events -> {
> assertEquals(1, events.size());
> assertEquals("invalidate metadata functional.alltypestiny",
> events.get(0).getRequestData());
> assertEventEquals("@table", "refresh", "functional/alltypestiny", 0,
> events.get(0));
> // Make sure it's denied by a column masking policy.
> assertTrue(columnMaskingPolicyIds.contains(events.get(0).getPolicyId()));
> }, "invalidate metadata functional.alltypestiny", onServer(TPrivilegeLevel.ALL));
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)