[
https://issues.apache.org/jira/browse/IMPALA-14518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-14518:
---------------------------------
Description:
Currently when Ranger is the authorization provider, Impala does not create a
privilege request for the command. As a result, Impala does not convert such a
privilege request to {{RangerAccessRequestImpl}} and consult the Ranger plug-in
about whether the requesting user is allowed to execute this command.
It would be good if we also produce such a privilege request so that we could
produce an audit event for SHOW DATABASES. In {{checkPrivileges()}} of
[RangerHiveAuthorizer.java|https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java],
Hive's Ranger plug-in does the following to create a privilege request. It
should be possible for Impala to do something similar.
{code:java}
// this should happen only for SHOWDATABASES
if (hiveOpType == HiveOperationType.SHOWDATABASES) {
RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE,
null);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user,
groups, roles, hiveOpType.name(), HiveAccessType.USE, context, sessionContext);
}
{code}
was:
Currently when Ranger is the authorization provider, Impala does not create a
privilege request for the command. As a result, Impala does not convert such a
privilege request to {{RangerAccessRequestImpl}} and consult the Ranger plug-in
about whether the requesting user is allowed to execute this command.
It would be good if we also produce such a privilege request so that we could
produce an audit event for SHOW DATABASES. In {{checkPrivileges()}} of
[RangerHiveAuthorizer.java|https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java],
Hive's Ranger plug-in does the following to create a privilege request. It
should be possible for Impala to do the same.
{code:java}
// this should happen only for SHOWDATABASES
if (hiveOpType == HiveOperationType.SHOWDATABASES) {
RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE,
null);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource,
user, groups, roles, hiveOpType.name(), HiveAccessType.USE, context,
sessionContext);
}{code}
> Consider producing Ranger audit event for SHOW DATABASES
> --------------------------------------------------------
>
> Key: IMPALA-14518
> URL: https://issues.apache.org/jira/browse/IMPALA-14518
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Currently when Ranger is the authorization provider, Impala does not create a
> privilege request for the command. As a result, Impala does not convert such
> a privilege request to {{RangerAccessRequestImpl}} and consult the Ranger
> plug-in about whether the requesting user is allowed to execute this command.
> It would be good if we also produce such a privilege request so that we could
> produce an audit event for SHOW DATABASES. In {{checkPrivileges()}} of
> [RangerHiveAuthorizer.java|https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java],
> Hive's Ranger plug-in does the following to create a privilege request. It
> should be possible for Impala to do something similar.
> {code:java}
> // this should happen only for SHOWDATABASES
> if (hiveOpType == HiveOperationType.SHOWDATABASES) {
> RangerHiveResource resource = new
> RangerHiveResource(HiveObjectType.DATABASE, null);
> RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource,
> user, groups, roles, hiveOpType.name(), HiveAccessType.USE, context,
> sessionContext);
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
