Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-8921

Use kerberos short name for ranger requests.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: Impala 3.2.0, Impala 3.3.0
    • Fix Version/s: Impala 3.4.0
    • Component/s: Catalog, Frontend
    • Labels:
      None
    • Epic Color:
      ghx-label-6

      Description

      For certain grant/revoke requests, we are using the full name, which is a fully qualified user principal.

      @Override
        public void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
            TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
          List<GrantRevokeRequest> requests = createGrantRevokeRequests(
      ====>        header.getRequesting_user(), true, params.getPrincipal_name(),
              Collections.emptyList(), plugin_.get().getClusterName(),
              header.getClient_ip(), params.getPrivileges());
      
      
      @Override
        public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
            TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
          List<GrantRevokeRequest> requests = createGrantRevokeRequests(
      ====>        header.getRequesting_user(), false, params.getPrincipal_name(),
              Collections.emptyList(), plugin_.get().getClusterName(),
              header.getClient_ip(), params.getPrivileges());
      
      @Override
        public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
            TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
          List<GrantRevokeRequest> requests = createGrantRevokeRequests(
      =>>>        header.getRequesting_user(), true, null,
              Collections.singletonList(params.getPrincipal_name()),
              plugin_.get().getClusterName(), header.getClient_ip(), params.getPrivileges());
      
        @Override
        public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
            TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
          List<GrantRevokeRequest> requests = createGrantRevokeRequests(
      ===>        header.getRequesting_user(), false, null,
              Collections.singletonList(params.getPrincipal_name()),
              plugin_.get().getClusterName(), header.getClient_ip(), params.getPrivileges());
      
      

      Ranger expects a short name instead. The bug existed since the original implementation [1], but the code has been later refactored.

      [1] https://gerrit.cloudera.org/#/c/12914/

        Attachments

          Activity

            People

            • Assignee:
              bharathv Bharath Vissapragada
              Reporter:
              bharathv Bharath Vissapragada
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: