Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
Impala 2.6.0
Description
Following are the steps to reproduce it.
1) As a Sentry admin user, create the database, table and grant SELECT privileges on a selected column to a user. In this example
admin user = hive restricted user = kms database name = test_db table name = test_tbl(col1 int, col2 int) role name = test_role
Following are the commands to accomplish it.
create database test_db; create role test_role; create table test_db.test_tbl (col1 int, col2 int); GRANT SELECT(col1) ON TABLE test_db.test_tbl TO ROLE test_role; grant role test_role to group kms; show grant role test_role;
(Before second step, do a invalidate metadata in Impala if above was done using Hive)
2) Now, connect with the user that has the role test_role and list the databases (user kms in our example). See inline highlighted with left arrow <===
[nightly59-2.gce.cloudera.com:25003] > show current roles; Query: show current roles +-----------+ | role_name | +-----------+ | test_role | +-----------+ Fetched 1 row(s) in 0.02s [nightly59-2.gce.cloudera.com:25003] > show grant role test_role; Query: show grant role test_role +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+ | scope | database | table | column | uri | privilege | grant_option | create_time | +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+ | COLUMN | test_db | test_tbl | col1 | | SELECT | false | Fri, Feb 17 2017 15:50:23.791 | +--------+----------+----------+--------+-----+-----------+--------------+-------------------------------+ Fetched 1 row(s) in 0.07s [nightly59-2.gce.cloudera.com:25003] > show databases; <==== Note that it doesn't displays test_db Query: show databases +---------+-----------------------+ | name | comment | +---------+-----------------------+ | default | Default Hive database | +---------+-----------------------+ Fetched 1 row(s) in 0.02s [nightly59-2.gce.cloudera.com:25003] >
In contrast, connect using beeline and it does shows the database test_db to the user as follows.
0: jdbc:hive2://nightly59-1.gce.cloudera.com:> show current roles; +------------+--+ | role | +------------+--+ | test_role | +------------+--+ 1 row selected (0.816 seconds) 0: jdbc:hive2://nightly59-1.gce.cloudera.com:> 0: jdbc:hive2://nightly59-1.gce.cloudera.com:> show databases; <==== Note that test_db is displayed +----------------+--+ | database_name | +----------------+--+ | default | | test_db | +----------------+--+ 2 rows selected (2.804 seconds) 0: jdbc:hive2://nightly59-1.gce.cloudera.com:>
Even the Impala editor in Hue doesn't shows the database whereas the Hive editor in Hue shows the database if you have access to a column in table in that database.
Thanks,
Sudarshan
Attachments
Issue Links
- relates to
-
-
- Resolved
-