----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74136/#review224773 -----------------------------------------------------------
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java Lines 1132 (patched) <https://reviews.apache.org/r/74136/#comment313573> RANGER-3000 introduced audit-filtering feature, which enables to skip generation of audit logs for conditions specified in service-configuration. Default service-configuration for Hive was updated in RANGER-3214 (shown below) to skip auditing of METADATA OPERATIONS, like SHOW DATABASES. Note the following text in Hive service-def configuration: {'actions':['METADATA OPERATION'], 'isAudited': false} { "itemId": 6, "name": "ranger.plugin.audit.filters", "type": "string", "mandatory": false, "label": "Ranger Default Audit Filters", "defaultValue": "[ {'accessResult': 'DENIED', 'isAudited': true}, {'actions':['METADATA OPERATION'], 'isAudited': false}, {'users':['hive','hue'],'actions':['SHOW_ROLES'],'isAudited':false} ]" } Can you please verify the configuration of your Hive service (like dev_hive) if appropriate value is specified for "ranger.plugin.audit.filters"? - Madhan Neethiraj On Sept. 24, 2022, 2:37 p.m., Xuze Yang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74136/ > ----------------------------------------------------------- > > (Updated Sept. 24, 2022, 2:37 p.m.) > > > Review request for ranger, Kirby Zhou, Abhay Kulkarni, and Madhan Neethiraj. > > > Bugs: RANGER-3685 > https://issues.apache.org/jira/browse/RANGER-3685 > > > Repository: ranger > > > Description > ------- > > hive show sql produces too many audit logs, which will flood valuable audit > logs and take up a lot of storage resources. This patch aims to provide a > configuration item to support simplified hive audit logging > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java > 6675125e1 > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > 8f6801be1 > > > Diff: https://reviews.apache.org/r/74136/diff/1/ > > > Testing > ------- > > 1. when configuration "xasecure.hive.simplify.audit.of.hive.show.sql" is not > set or set to false. The code behaves the same as before,i.e record audit > logs for each databases or tables > 2. when configuration "xasecure.hive.simplify.audit.of.hive.show.sql" is set > to true. It will only record an audit log about USE operation > > > Thanks, > > Xuze Yang > >
