[
https://issues.apache.org/jira/browse/IMPALA-10913?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18055461#comment-18055461
]
ASF subversion and git services commented on IMPALA-10913:
----------------------------------------------------------
Commit a398f7992e8a94e20861ffe81d3a84f186c406da in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=a398f7992 ]
IMPALA-10913: Produce Ranger audit log for SHOW DATABASES
This patch makes Impala produce Ranger audit log for the SHOW DATABASES
and the SHOW DATABASES LIKE statements. Moreover, this patch enforces
the authorization check for the default database, meaning that the
default database will not be shown if the requesting user is not
authorized to view this database according to the Ranger policy
repository. To support this new type of authorization check, we added
the class AuthorizableDbList to represent the object to be accessed by
those two statements.
Note that this patch generates the same RangerAccessRequestImpl for the
SHOW DATABASES statement as Hive does when Ranger is the authorization
provider. Specifically, in
https://github.com/apache/ranger/blob/668b80b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L806-L811
for the operation of SHOWDATABASES, the constructor of
RangerHiveResource does not populate any field in
RangerAccessResourceImpl with a non-null value. Moreover, when
HiveAccessType.USE is passed to the constructor of
RangerHiveAccessRequest, under the covers 'accessType' in
RangerAccessRequestImpl will be set to "_any" as shown in
RangerHiveAccessRequest#setHiveAccessType().
Testing:
- Added test cases to make sure the Ranger audit event will be
produced.
- Added test cases to verify the database 'default' will not be shown
if the requesting user is not allowed to discover the database based
on the Ranger policy repository.
Change-Id: Idb3e54b152e953916d3d7d7ef27c880a8559ed26
Reviewed-on: http://gerrit.cloudera.org:8080/23877
Reviewed-by: Quanlong Huang <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Consider producing audit logs for SHOW DATABASES
> ------------------------------------------------
>
> Key: IMPALA-10913
> URL: https://issues.apache.org/jira/browse/IMPALA-10913
> Project: IMPALA
> Issue Type: Improvement
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Minor
>
> Currently Impala FE does not generate audit logs for the statement "{{SHOW
> DATABASES}}".
> Taking a much closer look at the current implementation of Apache Impala, I
> think the authorization check for the statement "{{SHOW DATABASES}}" occurs
> at
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/service/Frontend.java#L1165].
> Notice that [hasAnyAccess(User user, Set<PrivilegeRequest>
> requests)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L89]
> has been used to authorize this statement. Under the hood [hasAccess(User
> user, PrivilegeRequest
> request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L66]
> will be invoked to perform the authorization with Ranger.
> However, [hasAccess(User user, PrivilegeRequest
> request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L66]
> does not have the capability to retain audit logs generated by Ranger. To
> retain the audit logs generated by Ranger, we have to invoke
> [hasAccess(AuthorizationContext authzCtx, User user, PrivilegeRequest
> request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L75-L86]
> since the field used to store Ranger's audits is in {{authzCtx}}, an
> instance of {{AuthorizationContext}}.
> Once we start invoking {{hasAccess(AuthorizationContext authzCtx, User user,
> PrivilegeRequest request)}} for "{{SHOW DATABASES}}" we also need to output
> the audit log(s) like what we do for most of queries analyzed by the Impala
> FE at
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L188-L190].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
