[jira] [Created] (IMPALA-10913) Consider produce audit logs for SHOW DATABASES

Thu, 09 Sep 2021 13:04:06 -0700 

Fang-Yu Rao created IMPALA-10913:
------------------------------------

             Summary: Consider produce audit logs for SHOW DATABASES
                 Key: IMPALA-10913
                 URL: https://issues.apache.org/jira/browse/IMPALA-10913
             Project: IMPALA
          Issue Type: Improvement
          Components: Frontend
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


Currently Impala FE does not generate audit logs for the statement "{{SHOW 
DATABASES}}".

Taking a much closer look at the current implementation of Apache Impala, I 
think the authorization check for the statement "{{SHOW DATABASES}}" occurs at 
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/service/Frontend.java#L1165].

Notice that [hasAnyAccess(User user, Set<PrivilegeRequest> 
requests)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L89]
 has been used to authorize this statement. Under the hood [hasAccess(User 
user, PrivilegeRequest 
request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L66]
 will be invoked to perform the authorization with Ranger.

However, I think [hasAccess(User user, PrivilegeRequest 
request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L66]
 does not have the capability to retain audit logs generated by Ranger. To 
retain the audit logs generated by Ranger, we have to invoke 
[hasAccess(AuthorizationContext authzCtx, User user, PrivilegeRequest 
request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L75-L86]
 since the field used to store Ranger's audits is in {{authzCtx}}, an instance 
of {{AuthorizationContext}}.

Once we start invoking {{hasAccess(AuthorizationContext authzCtx, User user, 
PrivilegeRequest request)}} for "{{SHOW DATABASES}}" we also need to output the 
audit log(s) like what we do for most of queries analyzed by the Impala FE at 
[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L188-L190].



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to