You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/02/13 22:22:00 UTC

[jira] [Commented] (IMPALA-7002) Referencing non-existent table/database in CTE without any privilege results in AnalysisException and not AuthorizationException

    [ https://issues.apache.org/jira/browse/IMPALA-7002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036550#comment-17036550 ] 

ASF subversion and git services commented on IMPALA-7002:
---------------------------------------------------------

Commit 8ddbc1807a641587a05c2f5327c498f92acb935c in impala's branch refs/heads/master from wzhou-code
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=8ddbc18 ]

IMPALA-7002: Throw AuthorizationException when user accesses
non-existent table/database in CTE without required privileges.

Currently if a user without required privileges tries to access a
non-existent database or table, then impala returns an analysis
exception instead of authorization exception. This happens because
during analysis of the with clause, the authorization request does
not get registered due to analysis exception being thrown before it.
This patch makes sure that those requests get registered regardless.

Testing:
 - Manual test:
   - ran CTE with non-existent database/table in impala-shell
     without required privilege, verified that it results in
     AuthorizationException.
   - ran CTE with non-existent database/table in impala-shell
     with the required privilege, verified that it results
     in AnalysisException.
 - Added CTE test cases for non-existent database/table/column
   in AuthorizationStmtTest.
 - Passed all FE tests.
 - Passed all core tests.

Change-Id: Ia6b657a7147a136198a9a97a679c9131ee814577
Reviewed-on: http://gerrit.cloudera.org:8080/15123
Reviewed-by: Bikramjeet Vig <bi...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Referencing non-existent table/database in CTE without any privilege results in AnalysisException and not AuthorizationException
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-7002
>                 URL: https://issues.apache.org/jira/browse/IMPALA-7002
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Frontend
>    Affects Versions: Impala 2.10.0, Impala 2.11.0, Impala 2.12.0
>            Reporter: Fredy Wijaya
>            Assignee: Wenzhe Zhou
>            Priority: Major
>              Labels: security
>
> {noformat}
> A CTE from non-existent database.
> [localhost:21000] default> with t as (select id from nodb.alltypes) select * from t;
> Query: with t as (select id from nodb.alltypes) select * from t
> Query submitted at: 2018-05-09 12:31:29 (Coordinator: http://impdev-dev:25000)
> ERROR: AnalysisException: Could not resolve table reference: 'nodb.alltypes'
> A normal select from non-existent database.
> [localhost:21000] default> select id from nodb.alltypes; Query: select id from nodb.alltypes
> Query submitted at: 2018-05-09 12:32:58 (Coordinator: http://fwijaya-dev:25000)
> ERROR: AuthorizationException: User 'impdev' does not have privileges to execute 'SELECT' on: nodb.alltypes
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org