Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Information Provided
-
None
-
None
-
None
-
ghx-label-5
Description
We found that based on the default Ranger policies loaded by $IMPALA_HOME/testdata/bin/create-load-data.sh, the following query would result in an AuthorizationException.
CREATE TABLE `kudu_table` ( `id` BIGINT, `name` STRING, primary key(id) ) STORED AS KUDU TBLPROPERTIES( 'kudu.master_addresses' = 'localhost' );
According to the error message, the requesting user does not have the necessary privileges on "server1", where "server1" is part of the input arguments we use to start impalad's and catalogd in an authorization-enabled cluster.
However, if we do not explicitly add the table property of 'kudu.master_addresses', the query could be performed without any error and the result returned for the query of "SHOW CREATE TABLE kudu_table" would still contain the property of "'kudu.master_addresses'='localhost'".
Hence, it would be good to figure out whether the check of the privileges on server1 is really necessary and whether the check could be waived if the explicitly specified 'kudu.master_addresses' happens to be the default value, i.e., "localhost" in this case. Notice that in order for a query with an explicitly specified 'kudu.master_addresses' property, we have to add the requesting user in the the policies of 1) all - database, table, column, 2) all - database, udf, and 3) all - url, which seems to grant too many privileges than necessary to the requesting user since in this case, the requesting user would be able to perform any operations on server1 in Impala.
Attachments
Issue Links
- is related to
-
IMPALA-4000 Restricted Sentry authorization for Kudu Tables
- Resolved
- relates to
-
IMPALA-10436 Investigate the need for granting ALL privilege on server when creating an external Kudu table
- Resolved