[
https://issues.apache.org/jira/browse/IMPALA-9597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-9597:
--------------------------------
Description:
After IMPALA-9350, Impala is able to produce the corresponding Ranger audits
when a query involves policies of column masking. However, redundant audit
events could be produced in some cases.
For example, currently Impala will always generate audit events for column
masking even though the requesting user is not granted the necessary privilege
on the specified resource because {{AuthorizationChecker#postAuthorize()}} is
always called whether there is an {{AuthorizationException}} or not.
Another example is that if a table occurs several times in a query, we would
have duplicate audits for the same column involved in a column masking policy.
Take the following query for example, since the query would result in 2 calls
to {{SelectStmt#analyze()}} on the same table, given that there is a column
masking policy for the column of {{string_col}}, we will see 2 duplicate audit
events for this column.
{noformat}
with iv as (select id, bool_col, string_col from functional.alltypestiny)
select * from iv;
{noformat}
We should thus eliminate the redundant audits in the cases described above.
was:
After [IMPALA-9350|https://issues.apache.org/jira/browse/IMPALA-9350], Impala
is able to produce the corresponding Ranger audits when a query involves
policies of column masking. However, duplicate audit events will be produced if
a column is referenced multiple times in a query.
For instance, since the following query would result in 2 calls to
{{SelectStmt#analyze()}} on the same table, given that there is a column
masking policy for the column of {{string_col}}, we will see 2 duplicate audit
events for this column.
{noformat}
with iv as (select id, bool_col, string_col from functional.alltypestiny)
select * from iv;
{noformat}
We should thus deduplicate the audits in the case described above.
> Eliminate redundant Ranger audits when a query involves column masking
> ----------------------------------------------------------------------
>
> Key: IMPALA-9597
> URL: https://issues.apache.org/jira/browse/IMPALA-9597
> Project: IMPALA
> Issue Type: Improvement
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> After IMPALA-9350, Impala is able to produce the corresponding Ranger audits
> when a query involves policies of column masking. However, redundant audit
> events could be produced in some cases.
> For example, currently Impala will always generate audit events for column
> masking even though the requesting user is not granted the necessary
> privilege on the specified resource because
> {{AuthorizationChecker#postAuthorize()}} is always called whether there is an
> {{AuthorizationException}} or not.
> Another example is that if a table occurs several times in a query, we would
> have duplicate audits for the same column involved in a column masking
> policy. Take the following query for example, since the query would result in
> 2 calls to {{SelectStmt#analyze()}} on the same table, given that there is a
> column masking policy for the column of {{string_col}}, we will see 2
> duplicate audit events for this column.
> {noformat}
> with iv as (select id, bool_col, string_col from functional.alltypestiny)
> select * from iv;
> {noformat}
> We should thus eliminate the redundant audits in the cases described above.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
