[
https://issues.apache.org/jira/browse/IMPALA-9977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17165087#comment-17165087
]
ASF subversion and git services commented on IMPALA-9977:
---------------------------------------------------------
Commit d83074c5992d51d136a509639a038bde5c3393bf in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=d83074c ]
IMPALA-9977: Remove duplicate Ranger audit log entries for ALTER events
This JIRA could be considered as a follow-up to IMPALA-9625, where we
converted the name of a TAccessEvent to lowercase to avoid duplicate
audits in the Set used to maintain the collected TAccessEvent's so that
there will not be duplicate TAccessEvent's in the file specified by the
flag of "-audit_event_log_dir" when Impala is started.
However, the patch for IMPALA-9625 only considered the audits that are
exported to the specific file mentioned above but not the
PrivilegeRequest's that will be processed by Ranger which in turn would
produce the corresponding audit log entries. Therefore, the
fully-qualified table name that is provided when
Analyzer#registerPrivReq() is called in Analyzer#getTable() is not
necessarily in lowercase, resulting in duplicate AuthzAuditEvent's
stored in the corresponding RangerBufferAuditHandler because the
full table names returned from registerAuthAndAuditEvent() and
getTable() differ. Refer to IMPALA-9625 for more details.
To resolve the inconsistencies, this patch converts the arguments of
database and table names to lowercase when
PrivilegeRequestBuilder#onTable() is building the corresponding
PrivilegeRequest, which will later be added to the Set of
PrivilegeRequest's for Ranger to process.
Testing:
- Added an FE test in RangerAuditLogTest.java to make sure no duplicate
Ranger audit log entries are produced.
- Verified that the patch passes the exhaustive tests in the DEBUG
build.
Change-Id: Iab9b664ad5ee9722182007ee67d14bf47bd03d8a
Reviewed-on: http://gerrit.cloudera.org:8080/16231
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Impala's COMPUTE STATS statement generates duplicate Ranger audit log entries
> for the ALTER events
> --------------------------------------------------------------------------------------------------
>
> Key: IMPALA-9977
> URL: https://issues.apache.org/jira/browse/IMPALA-9977
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Critical
>
> IMPALA-9625 fixed the reported problem converting every fully-qualified table
> name to lowercase in the method call to addAccessEvent() at
> https://github.com/apache/impala/blame/master/fe/src/main/java/org/apache/impala/analysis/Analyzer.java#L2881-L2882
> so that we will not have duplicate audit log entries in the file specified
> by the flag of "{{-audit_event_log_dir}}" when starting Impala.
> However, the patch for IMPALA-9625 did not fix the problem of duplicate
> Ranger log entries resulting from the registration of privilege requests at
> https://github.com/apache/impala/blame/master/fe/src/main/java/org/apache/impala/analysis/Analyzer.java#L2860-L2872.
> Specifically, Ranger performs authorization based on the privilege requests
> added in the for-loop pointed out above, where the fully-qualified table
> names are NOT converted to lowercase. Thus, we should also make the full
> table name consistent for those privilege requests that will be used by
> Ranger.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
