Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-8933

Ranger column deny policies not respected under certain circumstances

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • Impala 3.4.0
    • Impala 3.4.0
    • Security

    Description

      Ranger authorization checker missed a case of handling column level deny policies for select and insert statements. This issue causes the policies to not be enforced and can allow unintended access to protected columns.

      Steps to Repro:
      Connect impala-shell as admin:
      CREATE table(c1 int, c2 int);
      INSERT INTO T1 VALUES(1,1);
      In Ranger:
      Add policies:
      1) Name t1allow, Database *, Table t1,
      Allow conditions user: <unix login>, Permissions: select
      2) Name t1deny, Database *, Table t1,
      Deny conditions user: <unix login>, Permissions: select
      Connect impala-shell as <unix login>:
      SELECT c1 from t1; – Not allowed
      SELECT c2 from t1; – Allowed

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            kdeschle Kurt Deschler
            kdeschle Kurt Deschler
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment