mirror of
https://github.com/apache/impala.git
synced 2026-01-04 09:00:56 -05:00
f34a0507bf
This change adds support for authorizing based on policy metadata read from the Sentry Service. Authorization is role based and roles are granted to user groups. Each role can have zero or more privileges associated with it, granting fine grained access to specific catalog objects at server, URI, database, or table scope. This patch only adds support to authorize against metadata read from the Sentry Policy Service, it does not add support for GRANT/REVOKE statements in Impala. The authorization metadata is read by the catalog server from the Sentry Service and propagated to all nodes in the cluster in the "catalog-update" statestore topic. To enable the Catalog Server to read policy metadata, the --sentry_config must be set to a valid sentry-site.xml config file. On the impalad side, we continue to support authorization based on a file-based provider. To enable file based authorization set the --authorization_policy_file to a non-empty value. If --authorization_policy_file is not set, authorization will be done based on cached policy metadata received from the Catalog Server (via the statestore). TODO: There are still some issues with the Sentry Service that require disabling some of the authorization tests and adding some workarounds. I have added comments in the code where these workarounds are needed. Change-Id: I3765748d2cdbe00f59eefa3c971558efede38eb1 Reviewed-on: http://gerrit.ent.cloudera.com:8080/2552 Reviewed-by: Lenni Kuff <lskuff@cloudera.com> Tested-by: Lenni Kuff <lskuff@cloudera.com>
4.1 KiB
Executable File
4.1 KiB
Executable File