Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
None
-
None
-
None
-
ghx-label-9
Description
Since IMPALA-9498, we support returning ARRAYs from catalog views. If the array column is used relatively outside and the view is masked by Ranger column-masking/row-filtering policies, the query will failed.
For instance, functional_parquet.complextypestbl is a test table with the following schema:
id BIGINT, int_array ARRAY<INT>, int_array_array ARRAY<ARRAY<INT>>, int_map MAP<STRING,INT>, int_map_array ARRAY<MAP<STRING,INT>>, nested_struct STRUCT<a:INT,b:ARRAY<INT>,c:STRUCT<d:ARRAY<ARRAY<STRUCT<e:INT,f:STRING>>>>,g:MAP<STRING,STRUCT<h:STRUCT<i:ARRAY<DOUBLE>>>>>
functional_parquet.complextypes_arrays_only_view is a view on this table exposing the int arrays:
CREATE VIEW functional_parquet.complextypes_arrays_only_view AS SELECT id, int_array, int_array_array FROM functional_parquet.complextypestbl
Create a Ranger column-masking policy on the view that mask column "id" to "id * 100". The following query will fail:
select * from functional_parquet.complextypes_arrays_only_view t, t.int_array a; ERROR: AuthorizationException: User 'quanlong' does not have privileges to execute 'SELECT' on: t.int_array
Looking into the logs, it's due to the relative TableRef "t.int_array" can't be resolved:
E0119 09:22:52.945945 6748 AnalysisContext.java:625] 464a3aef49695517:b2c7d02900000000] Error analyzing the rewritten query. Original SQL: SELECT * FROM functional_parquet.complextypes_arrays_only_view t, t.int_array a Rewritten SQL: SELECT * FROM (SELECT CAST(id * 100 AS BIGINT) id FROM functional_parquet.complextypes_arrays_only_view t)t.int_array a Java exception follows: org.apache.impala.common.AnalysisException: Could not resolve table reference: 't.int_array' at org.apache.impala.analysis.Analyzer.resolvePath(Analyzer.java:1334) at org.apache.impala.analysis.Analyzer.resolvePath(Analyzer.java:1265) at org.apache.impala.analysis.Analyzer.resolvePathWithMasking(Analyzer.java:1182) at org.apache.impala.analysis.Analyzer.resolveTableRef(Analyzer.java:857) at org.apache.impala.analysis.FromClause.analyze(FromClause.java:86) at org.apache.impala.analysis.SelectStmt$SelectAnalyzer.analyze(SelectStmt.java:328) at org.apache.impala.analysis.SelectStmt$SelectAnalyzer.access$100(SelectStmt.java:280) at org.apache.impala.analysis.SelectStmt.analyze(SelectStmt.java:272) at org.apache.impala.analysis.AnalysisContext.reAnalyze(AnalysisContext.java:622) at org.apache.impala.analysis.AnalysisContext.analyze(AnalysisContext.java:553) at org.apache.impala.analysis.AnalysisContext.analyzeAndAuthorize(AnalysisContext.java:468) at org.apache.impala.service.Frontend.doCreateExecRequest(Frontend.java:2059) at org.apache.impala.service.Frontend.getTExecRequest(Frontend.java:1967) at org.apache.impala.service.Frontend.createExecRequest(Frontend.java:1789) at org.apache.impala.service.JniFrontend.createExecRequest(JniFrontend.java:164) I0119 09:22:52.946061 6748 AnalysisContext.java:484] 464a3aef49695517:b2c7d02900000000] Analysis took 132 ms I0119 09:22:52.949038 6748 BaseAuthorizationChecker.java:113] 464a3aef49695517:b2c7d02900000000] Authorization check took 2 ms I0119 09:22:52.949220 6748 jni-util.cc:288] 464a3aef49695517:b2c7d02900000000] org.apache.impala.authorization.AuthorizationException: User 'quanlong' does not have privileges to execute 'SELECT' on: t.int_array at org.apache.impala.authorization.BaseAuthorizationChecker.authorizeTableAccess(BaseAuthorizationChecker.java:288) at org.apache.impala.authorization.ranger.RangerAuthorizationChecker.authorizeTableAccess(RangerAuthorizationChecker.java:297) at org.apache.impala.authorization.BaseAuthorizationChecker.authorize(BaseAuthorizationChecker.java:167) at org.apache.impala.analysis.AnalysisContext.analyzeAndAuthorize(AnalysisContext.java:495) at org.apache.impala.service.Frontend.doCreateExecRequest(Frontend.java:2059) at org.apache.impala.service.Frontend.getTExecRequest(Frontend.java:1967) at org.apache.impala.service.Frontend.createExecRequest(Frontend.java:1789) at org.apache.impala.service.JniFrontend.createExecRequest(JniFrontend.java:164)