ROLE statements in Impala integrated with Ranger
After upgrading or migrating your workload from CDH to CDP you will have started using Apache Ranger as the authorization provider in Impala. This replaces Apache Sentry. There are some differences in Impala’s behavior which you must be aware of when using Ranger as the authorization provider.
Access via Roles in CDP Impala
Impala with Sentry revolved around granting privileges to ROLES, and ROLES to GROUPS. Until this release, Impala’s integration with Ranger did not support ROLE related DDL statements. So as a workaround you had to migrate the ROLE-based authorization policies, manage them using Ranger's web UI, to handle them correctly in Impala. You will no longer need to use the Ranger’s web UI to manage the ROLEs in CDP 7.1.6 since Impala now supports ROLE management through ROLE related statements.
Managing ROLES using Ranger’s WEB UI
You can perform the following steps to grant to a normal user the privileges on a resource via ROLEs.
- Assign a user to a group, e.g. using your corporate LDAP provider.
- In the Ranger web UI, create a ROLE that includes the group consisting of the user we want to grant the privileges.
- In the Ranger web UI,
- create a policy for the corresponding resource, e.g., a table,
- in the 'Select Role' field under the section of 'Allow Conditions', add the ROLE just created above,
- in the 'Permissions' field under the section of 'Allow Conditions', add the privileges we want to grant to the ROLE associated with the group consisting of that normal user.
ROLE related statements in Impala
To bridge the gap between CDH Impala and CDP Impala in terms of ROLE-related operations, CDP 7.1.6 introduces ROLE related statements in Impala integrated with Ranger.
CREATE ROLE <role_name> DROP ROLE <role_name> GRANT ROLE <role_name> TO GROUP <group_name> REVOKE ROLE <role_name> FROM GROUP <group_name> GRANT <privilege> ON <resource> TO ROLE <role_name> REVOKE <privilege> ON <resource> FROM ROLE <role_name> SHOW GRANT ROLE <role_name> ON <resource> SHOW ROLES SHOW CURRENT ROLES SHOW ROLE GRANT GROUP <group_name>
Differences in Impala’s behavior
The following list describes the major differences in Impala’s behavior when using Ranger as the authorization provider in place of Sentry.
- Before dropping a role in Ranger, you must remove all the privileges granted to the role in advance, which was not the case when Sentry was the authorization provider.
- You must specify the resource for the SHOW GRANT ROLE <role_name> ON <resource> statement which is different when using Sentry as the authorization provider. This is due to the fact that there is no API provided by Ranger that allows Impala to directly retrieve the list of all privileges granted to a specified role.