Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10300

Investigate the need for checking the privilege on server when creating a Kudu table with property of kudu.master_addresses

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Information Provided
    • None
    • None
    • Frontend
    • None
    • ghx-label-5

    Description

      We found that based on the default Ranger policies loaded by $IMPALA_HOME/testdata/bin/create-load-data.sh, the following query would result in an AuthorizationException.

      CREATE TABLE `kudu_table` (
      `id` BIGINT,
      `name` STRING, primary key(id)
      )
      STORED AS KUDU
      TBLPROPERTIES(
        'kudu.master_addresses' = 'localhost'
      );
      

      According to the error message, the requesting user does not have the necessary privileges on "server1", where "server1" is part of the input arguments we use to start impalad's and catalogd in an authorization-enabled cluster.

      However, if we do not explicitly add the table property of 'kudu.master_addresses', the query could be performed without any error and the result returned for the query of "SHOW CREATE TABLE kudu_table" would still contain the property of "'kudu.master_addresses'='localhost'".

      Hence, it would be good to figure out whether the check of the privileges on server1 is really necessary and whether the check could be waived if the explicitly specified 'kudu.master_addresses' happens to be the default value, i.e., "localhost" in this case. Notice that in order for a query with an explicitly specified 'kudu.master_addresses' property, we have to add the requesting user in the the policies of 1) all - database, table, column, 2) all - database, udf, and 3) all - url, which seems to grant too many privileges than necessary to the requesting user since in this case, the requesting user would be able to perform any operations on server1 in Impala.

      Attachments

        Issue Links

          Activity

            People

              fangyurao Fang-Yu Rao
              fangyurao Fang-Yu Rao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: