impala-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sail...@apache.org
Subject [1/3] incubator-impala git commit: IMPALA-4951: Fix database visibility for user with only column privilege
Date Wed, 04 Oct 2017 17:10:40 GMT
Repository: incubator-impala
Updated Branches:
  refs/heads/master 98092dd6c -> 625964107


IMPALA-4951: Fix database visibility for user with only column privilege

Currently a database is not visible to a user that only has column
level privileges for tables in that database. This patch will make
the database visible, which is the expected behavior in this case.

Testing: added a test case to verify the same.

Change-Id: Id77904876729c0223fd6ace2d5e7199bd700a33a
Reviewed-on: http://gerrit.cloudera.org:8080/8168
Reviewed-by: Bikramjeet Vig <bikramjeet.vig@cloudera.com>
Tested-by: Impala Public Jenkins


Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/0601f06c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/0601f06c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/0601f06c

Branch: refs/heads/master
Commit: 0601f06cb62549e132e1a4a1a272e72fb3839e30
Parents: 98092dd
Author: Bikramjeet Vig <bikramjeet.vig@cloudera.com>
Authored: Mon Sep 25 19:59:24 2017 -0700
Committer: Impala Public Jenkins <impala-public-jenkins@gerrit.cloudera.org>
Committed: Wed Oct 4 03:14:20 2017 +0000

----------------------------------------------------------------------
 .../org/apache/impala/service/Frontend.java     |  3 +-
 .../queries/QueryTest/grant_revoke.test         | 71 ++++++++++++++++++++
 2 files changed, 73 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/0601f06c/fe/src/main/java/org/apache/impala/service/Frontend.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/org/apache/impala/service/Frontend.java b/fe/src/main/java/org/apache/impala/service/Frontend.java
index 60e84b4..63941c1 100644
--- a/fe/src/main/java/org/apache/impala/service/Frontend.java
+++ b/fe/src/main/java/org/apache/impala/service/Frontend.java
@@ -58,6 +58,7 @@ import org.apache.impala.analysis.TableName;
 import org.apache.impala.analysis.TruncateStmt;
 import org.apache.impala.authorization.AuthorizationChecker;
 import org.apache.impala.authorization.AuthorizationConfig;
+import org.apache.impala.authorization.AuthorizeableTable;
 import org.apache.impala.authorization.ImpalaInternalAdminUser;
 import org.apache.impala.authorization.PrivilegeRequest;
 import org.apache.impala.authorization.PrivilegeRequestBuilder;
@@ -670,7 +671,7 @@ public class Frontend {
       return true;
     }
     PrivilegeRequest request = new PrivilegeRequestBuilder()
-        .any().onAnyTable(db.getName()).toRequest();
+        .any().onAnyColumn(db.getName(), AuthorizeableTable.ANY_TABLE_NAME).toRequest();
     return authzChecker_.get().hasAccess(user, request);
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/0601f06c/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
----------------------------------------------------------------------
diff --git a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test b/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
index 3f219c5..f78f1f5 100644
--- a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
+++ b/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
@@ -741,10 +741,81 @@ scope, database, table, column, uri, privilege, grant_option, create_time
 STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
 ====
 ---- QUERY
+# IMPALA-4951: make sure database is visible to a user having only column level access
+# to a table in the database
+grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
+---- RESULTS
+====
+---- QUERY
+create role grant_revoke_test_COLUMN_PRIV
+====
+---- QUERY
+grant role grant_revoke_test_COLUMN_PRIV to group $GROUP_NAME;
+====
+---- QUERY
+create database if not exists grant_rev_db;
+====
+---- QUERY
+create table grant_rev_db.test_tbl4 (col1 int, col2 int);
+====
+---- QUERY
+revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
+====
+---- QUERY
+show grant role grant_revoke_test_COLUMN_PRIV
+---- RESULTS
+---- LABELS
+scope, database, table, column, uri, privilege, grant_option, create_time
+---- TYPES
+STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
+====
+---- QUERY
+# grant_rev_db is not visible as user does not have any level of access to it
+show databases
+---- RESULTS
+'default','Default Hive database'
+---- TYPES
+STRING,STRING
+====
+---- QUERY
+grant select(col1) on table grant_rev_db.test_tbl4 to role grant_revoke_test_COLUMN_PRIV
+====
+---- QUERY
+show grant role grant_revoke_test_COLUMN_PRIV
+---- RESULTS: VERIFY_IS_EQUAL_SORTED
+'column','grant_rev_db','test_tbl4','col1','','select',false,regex:.+
+---- LABELS
+scope, database, table, column, uri, privilege, grant_option, create_time
+---- TYPES
+STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
+====
+---- QUERY
+show databases
+---- RESULTS
+'default','Default Hive database'
+'grant_rev_db',''
+---- TYPES
+STRING,STRING
+====
+---- QUERY
+grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
+---- RESULTS
+====
+---- QUERY
+drop database if exists grant_rev_db cascade
+====
+---- QUERY
+revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
+====
+---- QUERY
+revoke role grant_revoke_test_COLUMN_PRIV from group $GROUP_NAME
+====
+---- QUERY
 # Cleanup test roles
 drop role grant_revoke_test_ALL_SERVER;
 drop role grant_revoke_test_SELECT_INSERT_TEST_TBL;
 drop role grant_revoke_test_ALL_URI;
 drop role grant_revoke_test_ROOT;
+drop role grant_revoke_test_COLUMN_PRIV;
 ---- RESULTS
 ====


Mime
View raw message