[IMPALA-8933] Ranger column deny policies not respected under certain circumstances - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: Impala 3.4.0
Fix Version/s: Impala 3.4.0
Component/s: Security
Labels:
- ranger

Target Version:

Impala 3.4.0
Epic Color:
ghx-label-8

Description

Ranger authorization checker missed a case of handling column level deny policies for select and insert statements. This issue causes the policies to not be enforced and can allow unintended access to protected columns.

Steps to Repro:
Connect impala-shell as admin:
CREATE table(c1 int, c2 int);
INSERT INTO T1 VALUES(1,1);
In Ranger:
Add policies:
1) Name t1allow, Database *, Table t1,
Allow conditions user: <unix login>, Permissions: select
2) Name t1deny, Database *, Table t1,
Deny conditions user: <unix login>, Permissions: select
Connect impala-shell as <unix login>:
SELECT c1 from t1; – Not allowed
SELECT c2 from t1; – Allowed

Attachments

Activity

People

Assignee:: Kurt Deschler

Reporter:: Kurt Deschler

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 10/Sep/19 00:26

Updated:: 11/Sep/19 16:06

Resolved:: 11/Sep/19 16:06