mirror of
https://github.com/apache/impala.git
synced 2026-01-09 15:00:11 -05:00
ffe9e4b74e
This change adds support for GRANT/REVOKE to Impala via the Sentry Service. This includes support for creating and dropping roles, granting and revoking roles to/from groups, granting/revoking privileges to/from roles, and commands to view role metadata. The specific statements that are added in this patch are: CREATE/DROP ROLE <roleName> SHOW ROLES SHOW ROLE GRANT GROUP <groupName> GRANT/REVOKE ROLE <roleName> TO/FROM GROUP <groupName> GRANT/REVOKE <privilegeSpec> TO/FROM <roleName It does not include some of the fancier bulk-op syntax like support for granting multiple roles to multiple groups in one statement. This patch does not add support for the WITH GRANT OPTION to delegate GRANT/REVOKE privileges to other users. TODO: * Authorize these statements on the client side. The current Sentry Service design makes it difficult to authorize any GRANT/REVOKE statement on the client (Impala) side. Privilege checks are done within the Sentry Service itself. There are a few different options available to let Impala "fail fast" and those changes will come in a follow on patch. Change-Id: Ic6bd19f5939d3290255222dcc1a42ce95bd345e2