Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10728

Impala should check access privileges inside masking expressions

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: Impala 4.0.0
    • Fix Version/s: Impala 4.0.0
    • Component/s: Frontend, Security
    • Labels:
      None
    • Epic Color:
      ghx-label-2

      Description

      Row-filtering/column-masking policies may have subqueries which involve some other tables. These tables can have associate policies as well. Currently, Impala won't check any policies on these tables, including access policies and masking policies (row-filtering/column-masking). The rational is these expressions are evaluated in admin's point of view. Another reason is to avoid recursive masking, and sometimes infinite recursive masking. E.g. a row-filter subquery can have tables that also have such kind of row-filters.

      Although Hive also skipps applying masking policies recursively inside masking/filtering expressions, Hive still check access policies inside them. To avoid breaking users that depend on this, we'd better be compatible with Hive's behavior first.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                stigahuang Quanlong Huang
                Reporter:
                stigahuang Quanlong Huang
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: