Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-3133

Unexpected privileges in show output

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Impala 2.2.4, Impala 2.3.0, Impala 2.5.0
    • Fix Version/s: Impala 2.6.0, impala 2.5.1
    • Component/s: Frontend
    • Labels:
      None

      Description

      Impalad's catalog cache, which is used to respond to 'show' operations, can return inconsistent data.

      I believe that this is because when a catalog operation is issued, we immediately update the local catalog cache, via ImpaladCatalog::updateCatalog. Every 60 seconds, SentryProxy (via PolicyReader) refreshes the authorization policy metadata in the catalog by querying the Sentry service.

      Some sort of race condition exists where an authorization operation may be issued, and the local catalog cache gets updated to reflect this, but then before the Sentry service has received the update SentryProxy refreshes the data, getting stale state from the Sentry service and undoing the change to the local catalog cache. eg:

      > grant all on server to role test;
      > show grant role test;

      scope server database table column uri privilege grant_option create_time
      SERVER server1         ALL false NULL

      > revoke all on server from role test;
      > show grant role test;
      (no output)

      // a few seconds later

      > show grant role test

      scope server database table column uri privilege grant_option create_time
      SERVER server1         ALL false NULL

      The attached query test file reproduces the error (non-deterministically).

      Because operations requiring authorization always contact Sentry instead of relying on the catalog cache, this is not a security issue, but the inconsistent output could be confusing to users.

        Attachments

        1. grant_revoke_error.test
          0.9 kB
          Thomas Tauber-Marshall

          Activity

            People

            • Assignee:
              dtsirogiannis Dimitris Tsirogiannis
              Reporter:
              twmarshall Thomas Tauber-Marshall
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: