Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10554

Block modifications when row-filter/column-mask is enabled for the user

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • Impala 3.4.0
    • Impala 4.0.0
    • Security
    • None

    Description

      Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user.

      Currently, Impala doesn't block them, which is a bug considering to Hive's behavior.

      Reproducing the issue
      Create a table and a column masking policy on it:

      hive> create table hql_tbl (id int, name string) stored as textfile;
hive> insert into table hql_tbl values (0, 'aaa'), (1, 'bbb'), (2, 'ccc');

      Column masking policy:

      In Hive, the INSERT will be denied:

      hive> insert into table hql_tbl values (3, 'ddd');
Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [admin] does not have [UPDATE] privilege on [default/hql_tbl]

      However, the user is able to insert values using Impala.

      The related Ranger config is xasecure.hive.block.update.if.rowfilter.columnmask.specified.

      CC fangyurao

      Attachments

        1. column_masking_policy.png
          113 kB
          Quanlong Huang

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. IMPALA-11501 Add flag to allow metadata-cache operations on masked tables

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. IMPALA-11281 Consider loading the table metadata for a ResetMetadataStmt

          • Major - Major loss of function.
          • Resolved
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. IMPALA-8981 Support column masking in Impala

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. IMPALA-9234 Support Ranger row filtering policies

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              stigahuang Quanlong Huang
              stigahuang Quanlong Huang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: