Support Questions

Andreyeff · ‎07-19-2018

Hi,

We're strugling with the issue that Impala does not provide access to SHOW CREATE VIEW statement for the owner of the view (as well as owner of underlying table). Sentry based authorization is used.
The documentation (https://www.cloudera.com/documentation/enterprise/5-14-x/topics/impala_show.html#show_create_view) states that the required privileges should be: VIEW_METADATA privilege on the view and SELECT privilege on all underlying views and tables.

In our case the user owns the view and table, therefore, I expect both are fulfilled.

As you could see in the log below, the user has created, selected and dropped the view, but he couldn't see the CREATE statement.

Invalidate metadata was tried too.
Could you kindly help to resolve the issue, so that developers could check the CREATE statements - is there a missing bit or is it a bug?

Environment:
CDH 5.14.2
Impala 2.11.0
LDAP authentication
Sentry file authorization

Here is the log from different aspects:

=== Sentry file ========
[users]
svc.analyticaldata_dq=analytical_data, ...
...
[groups]
analytical_data=analytical_data
...
[roles]
analytical_data=server=server1->db=analytical_data
...

=== Impala CLI =============
[node009:21000] > select version();
Query: select version()
+-------------------------------------------------------------------------------------------+
| version() |
+-------------------------------------------------------------------------------------------+
| impalad version 2.11.0-cdh5.14.2 RELEASE (build ed85dce709da9557aeb28be89e8044947708876c) |
| Built on Tue Mar 27 13:39:48 PDT 2018 |
+-------------------------------------------------------------------------------------------+

[node009:21000] > select user();
Query: select user()
Query submitted at: 2018-07-19 15:30:16 (Coordinator: http://node009:25000)
Query progress can be monitored at: http://node009:25000/query_plan?query_id=1e4cc7a8258b79ff:e58adb9100000000
+-----------------------+
| user() |
+-----------------------+
| svc.analyticaldata_dq |
+-----------------------+
Fetched 1 row(s) in 0.08s

[node009:21000] > use analytical_data;
Query: use analytical_data

[node009:21000] > create view t as select count(*) from system9999.cases;
Query: create view t as select count(*) from system9999.cases
Query submitted at: 2018-07-19 15:24:52 (Coordinator: http://node009:25000)
Query progress can be monitored at: http://node009:25000/query_plan?query_id=304454e5a834396a:c1fbf50a00000000
Fetched 0 row(s) in 0.08s

[node009:21000] > select * from t;
Query: select * from t
Query submitted at: 2018-07-19 15:24:55 (Coordinator: http://node009:25000)
Query progress can be monitored at: http://node009:25000/query_plan?query_id=27459f84b4308766:6ed0235200000000
+---------+
| _c0 |
+---------+
| 6609331 |
+---------+
Fetched 1 row(s) in 4.50s

[node009:21000] > show create view t;
Query: show create view t
ERROR: AuthorizationException: User 'svc.analyticaldata_dq' does not have privileges to see the definition of view 'analytical_data.t'.

[node009:21000] > drop view t;
Query: drop view t
=== Metastore =============
[metastore]> select TBL_ID,TBL_NAME,OWNER,TBL_TYPE from TBLS where DB_ID=374406;

+---------+--------------------------------------------+-----------------------+---------------+
| TBL_ID | TBL_NAME | OWNER | TBL_TYPE |
+---------+--------------------------------------------+-----------------------+---------------+
| 1222804 | t | svc.analyticaldata_dq | VIRTUAL_VIEW |

fwijaya · ‎07-19-2018

In our case the user owns the view and table, therefore, I expect both are fulfilled.

Object ownership is not currently supported in Impala. However, we are currently working on it: https://issues.apache.org/jira/browse/IMPALA-7075

To be able to execute SHOW CREATE VIEW, you need access to the view as well as the underlying table(s). In your particular example, you need to have access to both "t" and "system9999.cases". This is because SHOW CREATE VIEW will reveal the information on the underlying table(s). Hence, the need to have access to the underlying table(s). This is different than other statements, such as SELECT, DROP, etc that require no information on the underlying table(s).

However, there seems to be a bug with SHOW CREATE VIEW that references bulit-in functions, such as "count", etc. I filed a bug in https://issues.apache.org/jira/browse/IMPALA-7325

View solution in original post

fwijaya · ‎07-19-2018

In our case the user owns the view and table, therefore, I expect both are fulfilled.

Object ownership is not currently supported in Impala. However, we are currently working on it: https://issues.apache.org/jira/browse/IMPALA-7075

To be able to execute SHOW CREATE VIEW, you need access to the view as well as the underlying table(s). In your particular example, you need to have access to both "t" and "system9999.cases". This is because SHOW CREATE VIEW will reveal the information on the underlying table(s). Hence, the need to have access to the underlying table(s). This is different than other statements, such as SELECT, DROP, etc that require no information on the underlying table(s).

However, there seems to be a bug with SHOW CREATE VIEW that references bulit-in functions, such as "count", etc. I filed a bug in https://issues.apache.org/jira/browse/IMPALA-7325

Andreyeff · ‎07-19-2018

Oh, the issue appeared to be even in functions.
Thanks for fast reply and raising a ticket.

Cloudera Community

Support Questions

SHOW CREATE VIEW fails for owner