Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B8076200CA4 for ; Wed, 7 Jun 2017 20:54:16 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B6A91160BD0; Wed, 7 Jun 2017 18:54:16 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 08DEE160BBF for ; Wed, 7 Jun 2017 20:54:15 +0200 (CEST) Received: (qmail 22751 invoked by uid 500); 7 Jun 2017 18:54:15 -0000 Mailing-List: contact reviews-help@impala.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list reviews@impala.incubator.apache.org Received: (qmail 22733 invoked by uid 99); 7 Jun 2017 18:54:14 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Jun 2017 18:54:14 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 85B091A7A51 for ; Wed, 7 Jun 2017 18:54:13 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.362 X-Spam-Level: X-Spam-Status: No, score=0.362 tagged_above=-999 required=6.31 tests=[RDNS_DYNAMIC=0.363, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id TaN9wJk79D_6 for ; Wed, 7 Jun 2017 18:54:11 +0000 (UTC) Received: from ip-10-146-233-104.ec2.internal (ec2-75-101-130-251.compute-1.amazonaws.com [75.101.130.251]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 6F4315F340 for ; Wed, 7 Jun 2017 18:54:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by ip-10-146-233-104.ec2.internal (8.14.4/8.14.4) with ESMTP id v57IsAO0021853; Wed, 7 Jun 2017 18:54:10 GMT Message-Id: <201706071854.v57IsAO0021853@ip-10-146-233-104.ec2.internal> Date: Wed, 7 Jun 2017 18:54:09 +0000 From: "Dimitris Tsirogiannis (Code Review)" To: Alex Behm , impala-cr@cloudera.com, reviews@impala.incubator.apache.org CC: Marcel Kornacker Reply-To: dtsirogiannis@cloudera.com X-Gerrit-MessageType: newpatchset Subject: =?UTF-8?Q?=5BImpala-ASF-CR=5D_IMPALA-4965=3A_Authorize_access_to_runtime_profile_and_exec_summary=0A?= X-Gerrit-Change-Id: I2255d587367c2d328590ae8534a5406c4b0c9b15 X-Gerrit-ChangeURL: X-Gerrit-Commit: c77bb3af293027dedde355941e8019504a325c41 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Content-Disposition: inline User-Agent: Gerrit/2.12.7 archived-at: Wed, 07 Jun 2017 18:54:16 -0000 Hello Alex Behm, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/7064 to look at the new patch set (#7). Change subject: IMPALA-4965: Authorize access to runtime profile and exec summary ...................................................................... IMPALA-4965: Authorize access to runtime profile and exec summary Bug: When Sentry-based authorization is enabled, a user that isn't authorized to EXPLAIN a statement that uses a view can still access unauthorized information, such as view's definition, by running the statement and asking for the query profile or the execution summary. Fix: During query compilation, determine if the user can access the the runtime profile or the execution summary. Upon request for a runtime profile or execution summary from a user, determine based on that information and the user that is asking for the profile if the runtime profile (or execution summary) will be returned or an authorization error. The authorization rule enforced is the following: - User A runs statement S, A asks for profile, A has profile access: Runtime profile is returned - User A runs statement S, A asks for profile, A doesn't have profile access: Authorization error - User A runs statement S, user B asks for profile: Authorization error. This patch doesn't enforce access to the runtime profile or execution summary through the Web UI. Change-Id: I2255d587367c2d328590ae8534a5406c4b0c9b15 --- M be/src/service/client-request-state.cc M be/src/service/client-request-state.h M be/src/service/impala-beeswax-server.cc M be/src/service/impala-hs2-server.cc M be/src/service/impala-http-handler.cc M be/src/service/impala-server.cc M be/src/service/impala-server.h M be/src/util/auth-util.cc M be/src/util/auth-util.h M common/thrift/Frontend.thrift M fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M fe/src/main/java/org/apache/impala/analysis/InlineViewRef.java M fe/src/main/java/org/apache/impala/analysis/ShowCreateTableStmt.java M fe/src/main/java/org/apache/impala/service/Frontend.java M shell/impala_shell.py M tests/authorization/test_authorization.py 17 files changed, 279 insertions(+), 53 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/64/7064/7 -- To view, visit http://gerrit.cloudera.org:8080/7064 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: I2255d587367c2d328590ae8534a5406c4b0c9b15 Gerrit-PatchSet: 7 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Dimitris Tsirogiannis Gerrit-Reviewer: Alex Behm Gerrit-Reviewer: Dimitris Tsirogiannis Gerrit-Reviewer: Marcel Kornacker