Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10728

Impala should check access privileges inside masking expressions

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • Impala 4.0.0
    • Impala 4.0.0
    • Frontend, Security
    • None
    • ghx-label-2

    Description

      Row-filtering/column-masking policies may have subqueries which involve some other tables. These tables can have associate policies as well. Currently, Impala won't check any policies on these tables, including access policies and masking policies (row-filtering/column-masking). The rational is these expressions are evaluated in admin's point of view. Another reason is to avoid recursive masking, and sometimes infinite recursive masking. E.g. a row-filter subquery can have tables that also have such kind of row-filters.

      Although Hive also skipps applying masking policies recursively inside masking/filtering expressions, Hive still check access policies inside them. To avoid breaking users that depend on this, we'd better be compatible with Hive's behavior first.

      Attachments

        Issue Links

          relates to

          New Feature - A new feature of the product, which has yet to be developed. IMPALA-9234 Support Ranger row filtering policies

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link Code Review

          Activity

            People

              stigahuang Quanlong Huang
              stigahuang Quanlong Huang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: