Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-4951

Impala does not show database if the user only has column-level access

    Details

      Description

      Following are the steps to reproduce it.

      1) As a Sentry admin user, create the database, table and grant SELECT privileges on a selected column to a user. In this example

      admin user      = hive
      restricted user = kms
      database name   = test_db
      table name      = test_tbl(col1 int, col2 int)
      role name       = test_role
      

      Following are the commands to accomplish it.

      create database test_db;
      create role test_role;
      create table test_db.test_tbl (col1 int, col2 int);
      GRANT SELECT(col1) ON TABLE test_db.test_tbl TO ROLE test_role;
      grant role test_role to group kms;
      show grant role test_role;
      
      

      (Before second step, do a invalidate metadata in Impala if above was done using Hive)

      2) Now, connect with the user that has the role test_role and list the databases (user kms in our example). See inline highlighted with left arrow <===

      [nightly59-2.gce.cloudera.com:25003] > show current roles;
      Query: show current roles
      +-----------+
      | role_name |
      +-----------+
      | test_role |
      +-----------+
      Fetched 1 row(s) in 0.02s
      [nightly59-2.gce.cloudera.com:25003] > show grant role test_role;
      Query: show grant role test_role
      +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+
      | scope  | database | table    | column | uri | privilege | grant_option | create_time                   |
      +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+
      | COLUMN | test_db  | test_tbl | col1   |     | SELECT    | false        | Fri, Feb 17 2017 15:50:23.791 |
      +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+
      Fetched 1 row(s) in 0.07s
      [nightly59-2.gce.cloudera.com:25003] > show databases;     <==== Note that it doesn't displays test_db
      Query: show databases
      +---------+-----------------------+
      | name    | comment               |
      +---------+-----------------------+
      | default | Default Hive database | 
      +---------+-----------------------+
      Fetched 1 row(s) in 0.02s
      [nightly59-2.gce.cloudera.com:25003] > 
      

      In contrast, connect using beeline and it does shows the database test_db to the user as follows.

      0: jdbc:hive2://nightly59-1.gce.cloudera.com:> show current roles;
      +------------+--+
      |    role    |
      +------------+--+
      | test_role  |
      +------------+--+
      1 row selected (0.816 seconds)
      0: jdbc:hive2://nightly59-1.gce.cloudera.com:>
      0: jdbc:hive2://nightly59-1.gce.cloudera.com:> show databases;    <==== Note that test_db is displayed
      +----------------+--+
      | database_name  |
      +----------------+--+
      | default        |
      | test_db        |
      +----------------+--+
      2 rows selected (2.804 seconds)
      0: jdbc:hive2://nightly59-1.gce.cloudera.com:> 
      
      

      Even the Impala editor in Hue doesn't shows the database whereas the Hive editor in Hue shows the database if you have access to a column in table in that database.

      Thanks,
      Sudarshan

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bikramjeet.vig Bikramjeet Vig
                Reporter:
                SudarshanS Sudarshan
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: