Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-2695

Catalog stores URI in lowercase and cause sentry authorization fail

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: Impala 2.1, Impala 2.2, Impala 2.3.0
    • Fix Version/s: Impala 2.5.0, Impala 2.3.2
    • Component/s: None
    • Labels:
      None

      Description

      Create a directory with upper case then grant all URI permission to a role, then try to create table and set location to a subdir under the URI via Impala. create table will fail with ERROR: AuthorizationException: User 'systest@HALXG.CLOUDERA.COM' does not have privileges to access: hdfs://c2302.halxg.cloudera.com:8020/tmp/ABC/hh

      step to reproduce:

      sudo -u hdfs hdfs dfs -mkdir /tmp/ABC/hh
      grant all on URI '/tmp/ABC' to role test_sentry;
      create external table test(col int) location '/tmp/ABC/hh';
      

      Catalog is actually storing a lower cased version of uri when doing a grant. And also sending a lower cased version of uri when requesting privileges from Sentry. So looks like two things have to be fixed in Impala
      1) Role.java -> Change cache to case sensitive for privilege map.
      2) RolePrivilege.java -> URIs should not be lower cased: http://github.mtv.cloudera.com/CDH/Impala/blob/cdh5-trunk/fe/src/main/java/com/cloudera/impala/catalog/RolePrivilege.java#L104

        Attachments

          Activity

            People

            • Assignee:
              bharathv bharath v
              Reporter:
              jyu@cloudera.com Juan Yu
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: