Public signup for this instance is disabled. Go to our Self serve sign up page to request an account. Report potential security issues privately

Powered by a free Atlassian Jira open source license for Apache Software Foundation. Try Jira - bug tracking software for your team.

Stack trace from a version of Cloudera's distribution of Impala (impalad version 3.4.0-SNAPSHOT RELEASE (build db20b59a093c17ea4699117155d58fe874f7d68f)):

Reviewing the code[1], I traced the TAccessLevel to the catalogd. And if I add user impala to group supergroup on the catalogd host, this query will succeed past the authorization.

Additionally, this query does not trip up during analysis when catalog v2 is enabled because the method getFirstLocationWithoutWriteAccess() is not implemented there yet and always returns null[2].

[2] https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/local/LocalFsTable.java#L295-L298

In a cluster with Ranger auth (and with legacy catalog mode), even if you provide RWX to cm_hdfs -> all-path for the user impala, inserting into a table whose HDFS POSIX permissions happen to exclude impala access will result in an

Ideally, when Ranger authorization is in place, we should: 1) Not check access level during analysis 2) Incorporate Ranger ACLs during analysis