commit | 1b4ca58a98a1509e6129132c9645fe059c9079d9 | [log] [tgz] |
---|---|---|
author | Fang-Yu Rao <fangyu.rao@cloudera.com> | Mon Nov 11 16:08:44 2019 -0800 |
committer | Impala Public Jenkins <impala-public-jenkins@cloudera.com> | Fri Dec 20 11:08:23 2019 +0000 |
tree | 0ae6522d8c6a93adbbf97a82a4df97d8884bea83 | |
parent | 8a4fececcf8e9599978cc1a532386b8e924838ed [diff] |
IMPALA-9149: part 1: Re-enabe Ranger-related FE tests In IMPALA-9047, we disabled some Ranger-related FE and BE tests due to changes in Ranger's behavior after upgrading Ranger from 1.2 to 2.0. This patch aims to re-enable those disabled FE tests in AuthorizationStmtTest.java and RangerAuditLogTest.java to increase Impala's test coverage of authorization via Ranger. There are at least two major changes in Ranger's behavior in the newer versions. 1. The first is that the owner of the requested resource no longer has to be explicitly granted privileges in order to access the resource. 2. The second is that a user not explicitly granted the privilege of creating a database is able to do so. Due to these changes, some of previous Ranger authorization requests that were expected to be rejected are now granted after the upgrade. To re-enable the tests affected by the first change described above, we modify AuthorizationTestBase.java to allow our FE Ranger authorization tests to specify the requesting user in an authorization test. Those tests failed after the upgrade because the default requesting user in Impala's AuthorizationTestBase.java happens to be the owner of the resources involved in our FE authorization tests. After this patch, a requesting user can be either a non-owner user or an owner user in a Ranger authorization test and the requesting user would correspond to a non-owner user if it is not explicitly specified. Note that in a Sentry authorization test, we do not use the non-owner user as the requesting user by default as we do in the Ranger authorization tests. Instead, we set the name of the requesting user to a name that is the same as the owner user in Ranger authorization tests to avoid the need for providing a customized group mapping service when instantiating a Sentry ResourceAuthorizationProvider as we do in AuthorizationTest.java, our FE tests specifically for testing authorization via Sentry. On the other hand, to re-enable the tests affected by the second change, we remove from the Ranger policy for all databases the allowed condition that grants any user the privilege of creating a database, which is not by default granted by Sentry. After the removal of the allowed codition, those tests in AuthorizationStmtTest.java and RangerAuditLogTest.java affected by the second change now result in the same authorization errors before the upgrade of Ranger. Testing: - Passed AuthorizationStmtTest.java in a local dev environment - Passed RangerAuditLogTest.java in a local dev environment Change-Id: I228533aae34b9ac03bdbbcd51a380770ff17c7f2 Reviewed-on: http://gerrit.cloudera.org:8080/14798 Reviewed-by: Quanlong Huang <huangquanlong@gmail.com> Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
Lightning-fast, distributed SQL queries for petabytes of data stored in Apache Hadoop clusters.
Impala is a modern, massively-distributed, massively-parallel, C++ query engine that lets you analyze, transform and combine data from a variety of data sources:
To learn more about Impala as a business user, or to try Impala live or in a VM, please visit the Impala homepage.
If you are interested in contributing to Impala as a developer, or learning more about Impala's internals and architecture, visit the Impala wiki.
Impala only supports Linux at the moment.
This distribution uses cryptographic software and may be subject to export controls. Please refer to EXPORT_CONTROL.md for more information.
See bin/bootstrap_build.sh.
Impala can be built with pre-built components or components downloaded from S3. The components needed to build Impala are Apache Hadoop, Hive, HBase, and Sentry. If you need to manually override the locations or versions of these components, you can do so through the environment variables and scripts listed below.
Location | Purpose |
---|---|
bin/impala-config.sh | This script must be sourced to setup all environment variables properly to allow other scripts to work |
bin/impala-config-local.sh | A script can be created in this location to set local overrides for any environment variables |
bin/impala-config-branch.sh | A version of the above that can be checked into a branch for convenience. |
bin/bootstrap_build.sh | A helper script to bootstrap some of the build requirements. |
bin/bootstrap_development.sh | A helper script to bootstrap a developer environment. Please read it before using. |
be/build/ | Impala build output goes here. |
be/generated-sources/ | Thrift and other generated source will be found here. |
Environment variable | Default value | Description |
---|---|---|
IMPALA_HOME | Top level Impala directory | |
IMPALA_TOOLCHAIN | “${IMPALA_HOME}/toolchain” | Native toolchain directory (for compilers, libraries, etc.) |
SKIP_TOOLCHAIN_BOOTSTRAP | “false” | Skips downloading the toolchain any python dependencies if “true” |
CDH_BUILD_NUMBER | Identifier to indicate the CDH build number | |
CDH_COMPONENTS_HOME | “${IMPALA_HOME}/toolchain/cdh_components-${CDH_BUILD_NUMBER}” | Location of the CDH components within the toolchain. |
CDH_MAJOR_VERSION | “5” | Identifier used to uniqueify paths for potentially incompatible component builds. |
IMPALA_CONFIG_SOURCED | “1” | Set by ${IMPALA_HOME}/bin/impala-config.sh (internal use) |
JAVA_HOME | “/usr/lib/jvm/${JAVA_VERSION}” | Used to locate Java |
JAVA_VERSION | “java-7-oracle-amd64” | Can override to set a local Java version. |
JAVA | “${JAVA_HOME}/bin/java” | Java binary location. |
CLASSPATH | See bin/set-classpath.sh for details. | |
PYTHONPATH | Will be changed to include: “${IMPALA_HOME}/shell/gen-py” “${IMPALA_HOME}/testdata” “${THRIFT_HOME}/python/lib/python2.7/site-packages” “${HIVE_HOME}/lib/py” “${IMPALA_HOME}/shell/ext-py/prettytable-0.7.1/dist/prettytable-0.7.1” "${IMPALA_HOME}/shell/ext-py/sasl-0.1.1/dist/sasl-0.1.1-py2.7-linux-x "${IMPALA_HOME}/shell/ext-py/sqlparse-0.1.19/dist/sqlparse-0.1.19-py2 |
Environment variable | Default value | Description |
---|---|---|
IMPALA_BE_DIR | “${IMPALA_HOME}/be” | Backend directory. Build output is also stored here. |
IMPALA_FE_DIR | “${IMPALA_HOME}/fe” | Frontend directory |
IMPALA_COMMON_DIR | “${IMPALA_HOME}/common” | Common code (thrift, function registry) |
Environment variable | Default value | Description |
---|---|---|
IMPALA_BUILD_THREADS | “8” or set to number of processors by default. | Used for make -j and distcc -j settings. |
IMPALA_MAKE_FLAGS | "" | Any extra settings to pass to make. Also used when copying udfs / udas into HDFS. |
USE_SYSTEM_GCC | “0” | If set to any other value, directs cmake to not set GCC_ROOT, CMAKE_C_COMPILER, CMAKE_CXX_COMPILER, as well as setting TOOLCHAIN_LINK_FLAGS |
IMPALA_CXX_COMPILER | “default” | Used by cmake (cmake_modules/toolchain and clang_toolchain.cmake) to select gcc / clang |
USE_GOLD_LINKER | “true” | Directs backend cmake to use gold. |
IS_OSX | “false” | (Experimental) currently only used to disable Kudu. |
Environment variable | Default value | Description |
---|---|---|
HADOOP_HOME | “${CDH_COMPONENTS_HOME}/hadoop-${IMPALA_HADOOP_VERSION}/” | Used to locate Hadoop |
HADOOP_INCLUDE_DIR | “${HADOOP_HOME}/include” | For ‘hdfs.h’ |
HADOOP_LIB_DIR | “${HADOOP_HOME}/lib” | For ‘libhdfs.a’ or ‘libhdfs.so’ |
HIVE_HOME | “${CDH_COMPONENTS_HOME}/{hive-${IMPALA_HIVE_VERSION}/” | |
HBASE_HOME | “${CDH_COMPONENTS_HOME}/hbase-${IMPALA_HBASE_VERSION}/” | |
SENTRY_HOME | “${CDH_COMPONENTS_HOME}/sentry-${IMPALA_SENTRY_VERSION}/” | Used to setup test data |
THRIFT_HOME | “${IMPALA_TOOLCHAIN}/thrift-${IMPALA_THRIFT_VERSION}” |