Security considerations for UDFs

When the Impala authorization feature is enabled:

  • To call a UDF in a query, you must have the required read privilege for any databases and tables used in the query.
  • The CREATE FUNCTION statement requires:
    • The CREATE privilege on the database.
    • The ALL privilege on two URIs where the URIs are:
      • The JAR file on the file system. For example:
        
        GRANT ALL ON URI 'file:///path_to_my.jar' TO ROLE my_role;
          
      • The JAR on HDFS. For example:
        GRANT ALL ON URI 'hdfs:///path/to/jar' TO ROLE my_role