ROLE statements in Impala integrated with Ranger
After upgrading or migrating your workload from CDH to you will have started using Apache Ranger as the authorization provider in Impala. This replaces Apache Sentry. There are some differences in Impala’s behavior which you must be aware of when using Ranger as the authorization provider.
Access using Roles in Impala
Impala with Sentry revolved around granting privileges to ROLES, and ROLES to GROUPS. Until this release, Impala’s integration with Ranger did not support ROLE related DDL statements. So as a workaround you had to migrate the ROLE-based authorization policies, manage them using Ranger's web UI, to handle them correctly in Impala. You will no longer need to use the Ranger’s web UI to manage the ROLEs in 7.1.6 since Impala now supports ROLE management through ROLE related statements.
Managing ROLES using Ranger WEB UI
You can perform the following steps to grant to a normal user the privileges on a resource using ROLEs.
- Assign a user to a group, for example, using your corporate LDAP provider.
- In the Ranger web UI, create a ROLE that includes the group consisting of the user you want to grant the privileges.
- In the Ranger web UI, perform the following tasks:
- Create a policy for the corresponding resource such as a table.
- In the Select Role field in the Allow Conditions section, add the ROLE just created above.
- In the Permissions field in the Allow Conditions section , add the privileges you want to grant to the ROLE associated with the group consisting of that normal user.
ROLE-related statements in Impala
To bridge the gap between CDH Impala and Impala in terms of ROLE-related operations, 7.1.6 introduces ROLE related statements in Impala integrated with Ranger.
CREATE ROLE <role_name>
DROP ROLE <role_name>
GRANT ROLE <role_name> TO GROUP <group_name>
REVOKE ROLE <role_name> FROM GROUP <group_name>
GRANT <privilege> ON <resource> TO ROLE <role_name>
REVOKE <privilege> ON <resource> FROM ROLE <role_name>
SHOW GRANT ROLE <role_name> ON <resource>
SHOW ROLES
SHOW CURRENT ROLES
SHOW ROLE GRANT GROUP <group_name>
Differences in the Impala behavior
The following list describes the major differences in the Impala behavior when using Ranger as the authorization provider in place of Sentry.
- Before dropping a role in Ranger, you must remove all the privileges granted to the role in advance, which was not the case when Sentry was the authorization provider.
- You must specify the resource for the SHOW GRANT ROLE <role_name> ON <resource> statement which is different when using Sentry as the authorization provider. This is due to the fact that no API is provided by Ranger that allows Impala to directly retrieve the list of all privileges granted to a specified role.
User role management in Impala
You can manage access by granting or revoking roles for specific users. You can manage granular security management and ensure consistency with the Cloudera Hive authorization model. You can assign roles directly to users to address individual permission requirements without modifying group-level structures.
Impala allows you to assign a role to a user, which simplifies the process of managing permissions for specific accounts. Users inherit all privileges associated with the granted role. You can also verify these assignments by viewing the roles currently granted to a user.
- Ownership and Ranger – When you use Apache Ranger, a user might still have access to a resource if they are the owner of that resource such as a database. For example, if a user owns a database, Ranger allows them to perform operations on it by default. To fully restrict a user, you might need to alter the ownership of the database in addition to revoking roles.
- User andROLE statements in Impala integrated with RangerROLE statements in Impala integrated with Ranger group assignments – Roles can be assigned to either a user or a group. You can verify which roles are active for your current session by running the SHOW CURRENT ROLES statement.
