> On June 28, 2024, 11:57 p.m., Madhan Neethiraj wrote: > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java > > Lines 62 (patched) > > <https://reviews.apache.org/r/75071/diff/1/?file=2289430#file2289430line62> > > > > Ramesh - requestData is set in #59 above. If this value is null/blank, > > shouldn't this be fixed in Hive - to ensure that the > > HiveAuthzContext.commandString is populated correctly? > > > > In #64, is it not necessry to distingush "show tables" and "show > > databases"? Are there no other metadata operations in Hive (that need to be > > recorded in the audit log)? > > Ramesh Mani wrote: > Madhan - Yes this has to be coming from Hive. In Ranger the commands that > are going to come through the filterObjects will be marked as "Metadata > Operation". those are show database, show tables and show view, show > materialized view, but we won't be able to differentiate between tables / > views, so we can have command string as "show tables / views" until hive > sends the commanString and it gets populated correctly. > > Madhan Neethiraj wrote: > Ramesh - when HiveAuthzContext object passed to filterObjects() has empty > commandString, how about deriving from HivePrivilegeObject objects passed to > filterObject()?
Madhan - HivePrivilegeObject is the one we use to create the resources and its not helping much here in this case. Hive has to make the necessary changes to pass HiveAuthzContext with more info. - Ramesh ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75071/#review226610 ----------------------------------------------------------- On June 29, 2024, 5:33 p.m., Ramesh Mani wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75071/ > ----------------------------------------------------------- > > (Updated June 29, 2024, 5:33 p.m.) > > > Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, > and Velmurugan Periasamy. > > > Bugs: RANGER-4835 > https://issues.apache.org/jira/browse/RANGER-4835 > > > Repository: ranger > > > Description > ------- > > RANGER-4835:RangerHiveAuthorizer audit enhancement for metadata operations > like show table and databases > > > Diffs > ----- > > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java > deb467f7f > > > Diff: https://reviews.apache.org/r/75071/diff/2/ > > > Testing > ------- > > - Testing done in local vm on RangerHivePlugin with operations like show > database, show tables, use database, select queries. > > > Thanks, > > Ramesh Mani > >
