Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
None
-
ghx-label-14
Description
To reproduce the issue, start Impala cluster with Ranger authorization enabled:
bin/start-impala-cluster.py --impalad_args="--server-name=server1 --ranger_service_type=hive --ranger_app_id=impala --authorization_provider=ranger" --catalogd_args="--server-name=server1 --ranger_service_type=hive --ranger_app_id=impala --authorization_provider=ranger"
Create a role "hql_test" and a temp table "tmp_tbl", then set the owner of it to the role:
$ impala-shell.sh -u admin default> create table tmp_tbl(id int); default> create role hql_test; default> alter table tmp_tbl set owner role hql_test; Query: alter table tmp_tbl set owner role hql_test ERROR: AnalysisException: Role 'hql_test' does not exist.
However, SHOW ROLES can show the role:
default> show roles; Query: show roles +-----------+ | role_name | +-----------+ | hql_test | +-----------+ Fetched 1 row(s) in 0.01s
Ranger roles are not loaded in Impala's catalog cache. We should either load them or use RangerPlugin to check existence of a role. Code snipper of the role check:
if (analyzer.isAuthzEnabled() && owner_.getOwnerType() == TOwnerType.ROLE && analyzer.getCatalog().getAuthPolicy().getRole(ownerName) == null) { throw new AnalysisException(String.format("Role '%s' does not exist.", ownerName)); }
CC fangyurao
Attachments
Issue Links
- duplicates
-
IMPALA-10712 SET OWNER ROLE <role_name> of a database/table/view is not supported when Ranger is the authorization provider
-
- Open
-