You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@impala.apache.org by "Bharath Vissapragada (Code Review)" <ge...@cloudera.org> on 2016/06/28 12:42:58 UTC

[Impala-CR](cdh5-trunk) IMPALA-3797: Relax privilege requirements for creating/dropping functions 

Bharath Vissapragada has uploaded a new change for review.

  http://gerrit.cloudera.org:8080/3520

Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions
......................................................................

IMPALA-3797: Relax privilege requirements for creating/dropping functions

Currently Impala expects an ALL privilege at the server level
for creating or dropping functions. This is not reasonable
because the user ends up getting many more undesirable grants
apart from creating/dropping functions. To fix this, we change
the grant model to the following

- Creating functions now require an ALL privilege on the function URI
- Dropping functions doesn't require any specific privileges

The above rules make Impala's behavior consistent with Hive.

Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c
---
M fe/src/main/java/com/cloudera/impala/analysis/CreateFunctionStmtBase.java
M fe/src/main/java/com/cloudera/impala/analysis/DropFunctionStmt.java
M fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java
M fe/src/test/resources/authz-policy.ini.template
4 files changed, 16 insertions(+), 27 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala refs/changes/20/3520/1
-- 
To view, visit http://gerrit.cloudera.org:8080/3520
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c
Gerrit-PatchSet: 1
Gerrit-Project: Impala
Gerrit-Branch: cdh5-trunk
Gerrit-Owner: Bharath Vissapragada <bh...@cloudera.com>

[Impala-CR](cdh5-trunk) IMPALA-3797: Relax privilege requirements for creating/dropping functions

Posted by "Alex Behm (Code Review)" <ge...@cloudera.org>.
Alex Behm has posted comments on this change.

Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions
......................................................................


Patch Set 1:

Any update on this one?

-- 
To view, visit http://gerrit.cloudera.org:8080/3520
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c
Gerrit-PatchSet: 1
Gerrit-Project: Impala
Gerrit-Branch: cdh5-trunk
Gerrit-Owner: Bharath Vissapragada <bh...@cloudera.com>
Gerrit-Reviewer: Alex Behm <al...@cloudera.com>
Gerrit-Reviewer: Dimitris Tsirogiannis <dt...@cloudera.com>
Gerrit-HasComments: No

[Impala-CR](cdh5-trunk) IMPALA-3797: Relax privilege requirements for creating/dropping functions

Posted by "Alex Behm (Code Review)" <ge...@cloudera.org>.
Alex Behm has posted comments on this change.

Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions
......................................................................


Patch Set 1:

(4 comments)

http://gerrit.cloudera.org:8080/#/c/3520/1//COMMIT_MSG
Commit Message:

PS1, Line 15: Creating
Can you summarize the new privilege requirements here and in the JIRA? My understanding is that CREATE FUNCTION needs CREATE privs on the database and ALL privs on the HDFS URI of the function library. (similar for DROP)


http://gerrit.cloudera.org:8080/#/c/3520/1/fe/src/main/java/com/cloudera/impala/analysis/CreateFunctionStmtBase.java
File fe/src/main/java/com/cloudera/impala/analysis/CreateFunctionStmtBase.java:

Line 161:     location_.analyze(analyzer, Privilege.ALL, FsAction.READ);
For my understanding, any idea why READ on the location is not sufficient? The CREATE FUNCTION does not write/create anything in that URL.

In any case, better to be consistent with Hive.


http://gerrit.cloudera.org:8080/#/c/3520/1/fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java
File fe/src/test/java/com/cloudera/impala/analysis/AuthorizationTest.java:

Line 1809
we should still test that the admin can do everything


Line 1813:       sentryService.grantRoleToGroup(USER, "udf_uri", USER.getName());
add tests to demonstrate what SHOW FUNCTIONS commands the udf_uri user can run


-- 
To view, visit http://gerrit.cloudera.org:8080/3520
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c
Gerrit-PatchSet: 1
Gerrit-Project: Impala
Gerrit-Branch: cdh5-trunk
Gerrit-Owner: Bharath Vissapragada <bh...@cloudera.com>
Gerrit-Reviewer: Alex Behm <al...@cloudera.com>
Gerrit-Reviewer: Dimitris Tsirogiannis <dt...@cloudera.com>
Gerrit-HasComments: Yes

[Impala-CR](cdh5-trunk) IMPALA-3797: Relax privilege requirements for creating/dropping functions

Posted by "Bharath Vissapragada (Code Review)" <ge...@cloudera.org>.
Bharath Vissapragada has abandoned this change.

Change subject: IMPALA-3797: Relax privilege requirements for creating/dropping functions
......................................................................


Abandoned

I need to rethink this a little and I'll post a review to ASF CR. Thanks for the initial set of comments Alex, I'll add you to the new CR.

-- 
To view, visit http://gerrit.cloudera.org:8080/3520
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: abandon
Gerrit-Change-Id: Ibfe351f4b1575bdf61eeab8395efee834a16145c
Gerrit-PatchSet: 1
Gerrit-Project: Impala
Gerrit-Branch: cdh5-trunk
Gerrit-Owner: Bharath Vissapragada <bh...@cloudera.com>
Gerrit-Reviewer: Alex Behm <al...@cloudera.com>
Gerrit-Reviewer: Dimitris Tsirogiannis <dt...@cloudera.com>