Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-11851

Relative paths on nested columns of a Ranger masked view can't be resolved

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • None
    • None
    • Security
    • None
    • ghx-label-9

    Description

      Since IMPALA-9498, we support returning ARRAYs from catalog views. If the array column is used relatively outside and the view is masked by Ranger column-masking/row-filtering policies, the query will failed.

      For instance, functional_parquet.complextypestbl is a test table with the following schema:

        id BIGINT,
  int_array ARRAY<INT>,
  int_array_array ARRAY<ARRAY<INT>>,
  int_map MAP<STRING,INT>,
  int_map_array ARRAY<MAP<STRING,INT>>,
  nested_struct STRUCT<a:INT,b:ARRAY<INT>,c:STRUCT<d:ARRAY<ARRAY<STRUCT<e:INT,f:STRING>>>>,g:MAP<STRING,STRUCT<h:STRUCT<i:ARRAY<DOUBLE>>>>>

      functional_parquet.complextypes_arrays_only_view is a view on this table exposing the int arrays:

      CREATE VIEW functional_parquet.complextypes_arrays_only_view AS
SELECT id, int_array, int_array_array FROM functional_parquet.complextypestbl

      Create a Ranger column-masking policy on the view that mask column "id" to "id * 100". The following query will fail:

      select * from functional_parquet.complextypes_arrays_only_view t, t.int_array a;

ERROR: AuthorizationException: User 'quanlong' does not have privileges to execute 'SELECT' on: t.int_array

      Looking into the logs, it's due to the relative TableRef "t.int_array" can't be resolved:

      E0119 09:22:52.945945  6748 AnalysisContext.java:625] 464a3aef49695517:b2c7d02900000000] Error analyzing the rewritten query.
Original SQL: SELECT * FROM functional_parquet.complextypes_arrays_only_view t, t.int_array a
Rewritten SQL: SELECT * FROM (SELECT CAST(id * 100 AS BIGINT) id FROM functional_parquet.complextypes_arrays_only_view t)t.int_array a
Java exception follows:
org.apache.impala.common.AnalysisException: Could not resolve table reference: 't.int_array'
        at org.apache.impala.analysis.Analyzer.resolvePath(Analyzer.java:1334)
        at org.apache.impala.analysis.Analyzer.resolvePath(Analyzer.java:1265)
        at org.apache.impala.analysis.Analyzer.resolvePathWithMasking(Analyzer.java:1182)
        at org.apache.impala.analysis.Analyzer.resolveTableRef(Analyzer.java:857)
        at org.apache.impala.analysis.FromClause.analyze(FromClause.java:86)
        at org.apache.impala.analysis.SelectStmt$SelectAnalyzer.analyze(SelectStmt.java:328)
        at org.apache.impala.analysis.SelectStmt$SelectAnalyzer.access$100(SelectStmt.java:280)
        at org.apache.impala.analysis.SelectStmt.analyze(SelectStmt.java:272)
        at org.apache.impala.analysis.AnalysisContext.reAnalyze(AnalysisContext.java:622)
        at org.apache.impala.analysis.AnalysisContext.analyze(AnalysisContext.java:553)
        at org.apache.impala.analysis.AnalysisContext.analyzeAndAuthorize(AnalysisContext.java:468)
        at org.apache.impala.service.Frontend.doCreateExecRequest(Frontend.java:2059)
        at org.apache.impala.service.Frontend.getTExecRequest(Frontend.java:1967)
        at org.apache.impala.service.Frontend.createExecRequest(Frontend.java:1789)
        at org.apache.impala.service.JniFrontend.createExecRequest(JniFrontend.java:164)
I0119 09:22:52.946061  6748 AnalysisContext.java:484] 464a3aef49695517:b2c7d02900000000] Analysis took 132 ms
I0119 09:22:52.949038  6748 BaseAuthorizationChecker.java:113] 464a3aef49695517:b2c7d02900000000] Authorization check took 2 ms 
I0119 09:22:52.949220  6748 jni-util.cc:288] 464a3aef49695517:b2c7d02900000000] org.apache.impala.authorization.AuthorizationException: User 'quanlong' does not have privileges to execute 'SELECT' on: t.int_array
        at org.apache.impala.authorization.BaseAuthorizationChecker.authorizeTableAccess(BaseAuthorizationChecker.java:288)
        at org.apache.impala.authorization.ranger.RangerAuthorizationChecker.authorizeTableAccess(RangerAuthorizationChecker.java:297)
        at org.apache.impala.authorization.BaseAuthorizationChecker.authorize(BaseAuthorizationChecker.java:167)
        at org.apache.impala.analysis.AnalysisContext.analyzeAndAuthorize(AnalysisContext.java:495)
        at org.apache.impala.service.Frontend.doCreateExecRequest(Frontend.java:2059)
        at org.apache.impala.service.Frontend.getTExecRequest(Frontend.java:1967)
        at org.apache.impala.service.Frontend.createExecRequest(Frontend.java:1789)
        at org.apache.impala.service.JniFrontend.createExecRequest(JniFrontend.java:164)

      Attachments

        Activity

          People

            stigahuang Quanlong Huang
            stigahuang Quanlong Huang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: