[Impala-ASF-CR] IMPALA-10986: Require the SELECT privilege to execute a UDF

["Fang-Yu Rao (Code Review)" <ge...@cloudera.org>]

Hello Quanlong Huang, Aman Sinha, Csaba Ringhofer, Impala Public Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/19194

to look at the new patch set (#9).

Change subject: IMPALA-10986: Require the SELECT privilege to execute a UDF
......................................................................

IMPALA-10986: Require the SELECT privilege to execute a UDF

This patch registers the SELECT privilege on a UDF during query analysis
for a SELECT query that attempts to execute the UDF. Only the required
privileges for UDF execution are changed. The required privileges
for queries like CREATE/DROP FUNCTION or SHOW FUNCTIONS remain the same.

More precisely, before this patch, to execute a UDF, a user only had to
be granted any of the SELECT, INSERT, REFRESH privileges on all the
tables, columns in the database where the UDF belongs to.

After this patch, the user has to be granted the SELECT privilege on the
UDF as well to execute the UDF. Note that currently in Hive, only the
SELECT privilege on the UDF is required when Ranger is the authorization
provider. IMPALA-11769 was also created to keep track of the difference
in the required privileges between Impala and Hive.

To facilitate managing privileges on UDF's, this patch also adds the
keyword 'USER_DEFINED_FN'. For instance, we could use the following
statement to grant the SELECT privilege on the UDF <udf_name> under the
database <db_name> to the user <user_name>.

GRANT SELECT ON USER_DEFINED_FN <db_name>.<udf_name> TO USER <user_name>

A wildcard in the name of a UDF is also supported. If an administrator
wants to grant to a user only the SELECT privilege on all the tables,
columns but not all the UDF's in a database, after executing "GRANT
SELECT ON DATABASE <db_name> TO USER <user_name>", the following could
be done to revoke the SELECT privilege on all the UDF's in the database
<db_name> from the user <user_name>.

REVOKE SELECT ON USER_DEFINED_FN <db_name>.`*` FROM USER <user_name>

Testing:
 - Added various FE and E2E tests to verify Impala's behavior with
   respect to UDF execution.
 - Verified that this patch passes the core tests in the DEBUG build.

Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740
---
M common/thrift/CatalogObjects.thrift
M fe/src/main/cup/sql-parser.cup
M fe/src/main/java/org/apache/impala/analysis/Analyzer.java
M fe/src/main/java/org/apache/impala/analysis/FunctionCallExpr.java
M fe/src/main/java/org/apache/impala/analysis/FunctionName.java
M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
M fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java
M fe/src/main/jflex/sql-scanner.flex
M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
M tests/authorization/test_ranger.py
14 files changed, 400 insertions(+), 21 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/94/19194/9
-- 
To view, visit http://gerrit.cloudera.org:8080/19194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I5e58ba30545ce169786aac279b00c8f6e09ae740
Gerrit-Change-Number: 19194
Gerrit-PatchSet: 9
Gerrit-Owner: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Aman Sinha <am...@cloudera.com>
Gerrit-Reviewer: Csaba Ringhofer <cs...@cloudera.com>
Gerrit-Reviewer: Fang-Yu Rao <fa...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Quanlong Huang <hu...@gmail.com>