Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-8921

Use kerberos short name for ranger requests.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • Impala 3.2.0, Impala 3.3.0
    • Impala 3.4.0
    • Catalog, Frontend
    • None
    • ghx-label-6

    Description

      For certain grant/revoke requests, we are using the full name, which is a fully qualified user principal.

      @Override
        public void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
            TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
          List<GrantRevokeRequest> requests = createGrantRevokeRequests(
      ====>        header.getRequesting_user(), true, params.getPrincipal_name(),
              Collections.emptyList(), plugin_.get().getClusterName(),
              header.getClient_ip(), params.getPrivileges());
      
      
      @Override
        public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
            TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
          List<GrantRevokeRequest> requests = createGrantRevokeRequests(
      ====>        header.getRequesting_user(), false, params.getPrincipal_name(),
              Collections.emptyList(), plugin_.get().getClusterName(),
              header.getClient_ip(), params.getPrivileges());
      
      @Override
        public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
            TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
          List<GrantRevokeRequest> requests = createGrantRevokeRequests(
      =>>>        header.getRequesting_user(), true, null,
              Collections.singletonList(params.getPrincipal_name()),
              plugin_.get().getClusterName(), header.getClient_ip(), params.getPrivileges());
      
        @Override
        public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
            TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
          List<GrantRevokeRequest> requests = createGrantRevokeRequests(
      ===>        header.getRequesting_user(), false, null,
              Collections.singletonList(params.getPrincipal_name()),
              plugin_.get().getClusterName(), header.getClient_ip(), params.getPrivileges());
      
      

      Ranger expects a short name instead. The bug existed since the original implementation [1], but the code has been later refactored.

      [1] https://gerrit.cloudera.org/#/c/12914/

      Attachments

        Activity

          People

            bharathv Bharath Vissapragada
            bharathv Bharath Vissapragada
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: