Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10554

Block modifications when row-filter/column-mask is enabled for the user

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • Impala 3.4.0
    • Impala 4.0.0
    • Security
    • None

    Description

      Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user.

      Currently, Impala doesn't block them, which is a bug considering to Hive's behavior.

      Reproducing the issue
      Create a table and a column masking policy on it:

      hive> create table hql_tbl (id int, name string) stored as textfile;
      hive> insert into table hql_tbl values (0, 'aaa'), (1, 'bbb'), (2, 'ccc');
      

      Column masking policy:

      In Hive, the INSERT will be denied:

      hive> insert into table hql_tbl values (3, 'ddd');
      Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [admin] does not have [UPDATE] privilege on [default/hql_tbl]
      

      However, the user is able to insert values using Impala.

      The related Ranger config is xasecure.hive.block.update.if.rowfilter.columnmask.specified.

      CC fangyurao

      Attachments

        1. column_masking_policy.png
          113 kB
          Quanlong Huang

        Issue Links

          Activity

            People

              stigahuang Quanlong Huang
              stigahuang Quanlong Huang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: