Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
Impala 3.4.0
-
None
-
ghx-label-12
Description
Per RANGER-1087 and RANGER-1100, table modifications(insert/delete/update) should be blocked when row-filter/column-masking policy is enabled for the user.
Currently, Impala doesn't block them, which is a bug considering to Hive's behavior.
Reproducing the issue
Create a table and a column masking policy on it:
hive> create table hql_tbl (id int, name string) stored as textfile; hive> insert into table hql_tbl values (0, 'aaa'), (1, 'bbb'), (2, 'ccc');
Column masking policy:
In Hive, the INSERT will be denied:
hive> insert into table hql_tbl values (3, 'ddd'); Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [admin] does not have [UPDATE] privilege on [default/hql_tbl]
However, the user is able to insert values using Impala.
The related Ranger config is xasecure.hive.block.update.if.rowfilter.columnmask.specified.
CC fangyurao
Attachments
Attachments
Issue Links
- is related to
-
IMPALA-11501 Add flag to allow metadata-cache operations on masked tables
- Resolved
-
IMPALA-11281 Consider loading the table metadata for a ResetMetadataStmt
- Resolved
- relates to
-
IMPALA-8981 Support column masking in Impala
- Resolved
-
IMPALA-9234 Support Ranger row filtering policies
- Resolved