Details

    • Sub-task
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • None
    • Impala 3.3.0
    • Frontend
    • None
    • ghx-label-4

    Description

      Because of policy sharing between Hive and Ranger, Impala needs throw an authorization exception when column masking and row filtering is enabled in Hive. This is only temporary until Impala has proper support for column masking and row filtering.

      Attachments

        Issue Links

          Activity

            Commit f998d64767c074216e75a552b36ecf44ff295d07 in impala's branch refs/heads/master from Radford Nguyen
            [ https://gitbox.apache.org/repos/asf?p=impala.git;h=f998d64 ]

            IMPALA-8363: Fix E2E start with impala_log_dir

            This commit fixes the `CustomClusterTestSuite` to wait for the
            correct number of executors when `impala_log_dir` is specified
            in the test decorator. Previously, the default value of 3
            was always used, regardless of `cluster_size`.

            Testing:

            • Manual verification using tests/authorization/test_ranger.py
              with custom `impala_log_dir` and `cluster_size` arguments.
              Failed before changes, passed after changes
            • Ran all original E2E tests

            Change-Id: I4f46f40474b4b380abe88647a37e8e4d2231d745
            Reviewed-on: http://gerrit.cloudera.org:8080/12935
            Reviewed-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
            Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>

            jira-bot ASF subversion and git services added a comment - Commit f998d64767c074216e75a552b36ecf44ff295d07 in impala's branch refs/heads/master from Radford Nguyen [ https://gitbox.apache.org/repos/asf?p=impala.git;h=f998d64 ] IMPALA-8363 : Fix E2E start with impala_log_dir This commit fixes the `CustomClusterTestSuite` to wait for the correct number of executors when `impala_log_dir` is specified in the test decorator. Previously, the default value of 3 was always used, regardless of `cluster_size`. Testing: Manual verification using tests/authorization/test_ranger.py with custom `impala_log_dir` and `cluster_size` arguments. Failed before changes, passed after changes Ran all original E2E tests Change-Id: I4f46f40474b4b380abe88647a37e8e4d2231d745 Reviewed-on: http://gerrit.cloudera.org:8080/12935 Reviewed-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
            radford-nguyen radford nguyen added a comment -

            The above comment erroneously references this ticket but actually applies to IMPALA-8389

            radford-nguyen radford nguyen added a comment - The above comment erroneously references this ticket but actually applies to IMPALA-8389

            Commit 986dbbc5145a4cfd796453d94e6c74eb786ea0d7 in impala's branch refs/heads/master from Fredy Wijaya
            [ https://gitbox.apache.org/repos/asf?p=impala.git;h=986dbbc ]

            IMPALA-8363: Deny access when column masking or row filtering is enabled in Ranger

            This patch updates the Ranger authorization checker code to deny access
            when column masking and row filtering is enabled in Ranger for queries
            that that have columns/tables specified in column mask and row filter
            policies. This is to prevent data leak, such that the data that is
            masked/filtered in Hive should not be visible at all in Impala until
            Impala has full support for column masking and row filtering.

            Testing:

            • Added tests in AuthorizationStmtTest to test queries with column
              masking and row filtering enabled.
            • Ran all FE tests
            • Ran all E2E tests

            Change-Id: If46b4bf24d916e4a4ea8a36ff4acfd95d5f45c8e
            Reviewed-on: http://gerrit.cloudera.org:8080/12927
            Reviewed-by: Fredy Wijaya <fwijaya@cloudera.com>
            Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>

            jira-bot ASF subversion and git services added a comment - Commit 986dbbc5145a4cfd796453d94e6c74eb786ea0d7 in impala's branch refs/heads/master from Fredy Wijaya [ https://gitbox.apache.org/repos/asf?p=impala.git;h=986dbbc ] IMPALA-8363 : Deny access when column masking or row filtering is enabled in Ranger This patch updates the Ranger authorization checker code to deny access when column masking and row filtering is enabled in Ranger for queries that that have columns/tables specified in column mask and row filter policies. This is to prevent data leak, such that the data that is masked/filtered in Hive should not be visible at all in Impala until Impala has full support for column masking and row filtering. Testing: Added tests in AuthorizationStmtTest to test queries with column masking and row filtering enabled. Ran all FE tests Ran all E2E tests Change-Id: If46b4bf24d916e4a4ea8a36ff4acfd95d5f45c8e Reviewed-on: http://gerrit.cloudera.org:8080/12927 Reviewed-by: Fredy Wijaya <fwijaya@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>

            People

              fredyw Fredy Wijaya
              fredyw Fredy Wijaya
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: