Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
Impala 2.2.4, Impala 2.3.0, Impala 2.5.0
-
None
Description
Impalad's catalog cache, which is used to respond to 'show' operations, can return inconsistent data.
I believe that this is because when a catalog operation is issued, we immediately update the local catalog cache, via ImpaladCatalog::updateCatalog. Every 60 seconds, SentryProxy (via PolicyReader) refreshes the authorization policy metadata in the catalog by querying the Sentry service.
Some sort of race condition exists where an authorization operation may be issued, and the local catalog cache gets updated to reflect this, but then before the Sentry service has received the update SentryProxy refreshes the data, getting stale state from the Sentry service and undoing the change to the local catalog cache. eg:
> grant all on server to role test;
> show grant role test;
| scope | server | database | table | column | uri | privilege | grant_option | create_time |
| SERVER | server1 | ALL | false | NULL |
> revoke all on server from role test;
> show grant role test;
(no output)
// a few seconds later
> show grant role test
| scope | server | database | table | column | uri | privilege | grant_option | create_time |
| SERVER | server1 | ALL | false | NULL |
The attached query test file reproduces the error (non-deterministically).
Because operations requiring authorization always contact Sentry instead of relying on the catalog cache, this is not a security issue, but the inconsistent output could be confusing to users.