Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10272

LOAD DATA should respect Ranger-HDFS policies

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • None
    • Impala 4.1.0
    • Security
    • None
    • ghx-label-3

    Description

      Vincent Tran reported an issue that analyzing a LOAD DATA statement fails in checking  access to the source file while a Ranger HDFS policy actually exists to allow the access. Impala only loads the permissions from HDFS and check accesses by itself. Related codes: https://github.com/apache/impala/blob/ee4043e1a0940ae5711c68336d1ad522631d0e35/fe/src/main/java/org/apache/impala/analysis/LoadDataStmt.java#L195-L206

      When Ranger authorization is enabled, this could be wrong if the HDFS permissions is more restrict than the Ranger policies. According to the Ranger document: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=57901344#RangerUserGuide(workinprogress)-HDFSPolicycreation

      when the NameNode receives a user request, the Ranger Plugin checks for policies set through the Ranger Policy Manager. Then, if there are no policies authorizing the request, the Ranger plugin checks for permissions set in HDFS.

      We currently don't have an embeded ranger-hdfs plugin to check this locally. For a quick fix, I think when Ranger authz is enabled, we can check the access using FileSystem#access(Path path, FsAction mode) to invoke a NameNode RPC to respect Ranger-HDFS policies.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            LiPenglin LiPenglin
            stigahuang Quanlong Huang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment