[jira] [Closed] (IMPALA-10913) Consider producing audit logs for SHOW DATABASES

Fri, 30 Jan 2026 13:00:08 -0800 


     [ 
https://issues.apache.org/jira/browse/IMPALA-10913?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fang-Yu Rao closed IMPALA-10913.
--------------------------------
    Target Version: Impala 5.0.0
        Resolution: Fixed

> Consider producing audit logs for SHOW DATABASES
> ------------------------------------------------
>
>                 Key: IMPALA-10913
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10913
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Frontend
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Minor
>
> Currently Impala FE does not generate audit logs for the statement "{{SHOW 
> DATABASES}}".
> Taking a much closer look at the current implementation of Apache Impala, I 
> think the authorization check for the statement "{{SHOW DATABASES}}" occurs 
> at 
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/service/Frontend.java#L1165].
> Notice that [hasAnyAccess(User user, Set<PrivilegeRequest> 
> requests)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L89]
>  has been used to authorize this statement. Under the hood [hasAccess(User 
> user, PrivilegeRequest 
> request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L66]
>  will be invoked to perform the authorization with Ranger.
> However, [hasAccess(User user, PrivilegeRequest 
> request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L66]
>  does not have the capability to retain audit logs generated by Ranger. To 
> retain the audit logs generated by Ranger, we have to invoke 
> [hasAccess(AuthorizationContext authzCtx, User user, PrivilegeRequest 
> request)|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java#L75-L86]
>  since the field used to store Ranger's audits is in {{authzCtx}}, an 
> instance of {{AuthorizationContext}}.
> Once we start invoking {{hasAccess(AuthorizationContext authzCtx, User user, 
> PrivilegeRequest request)}} for "{{SHOW DATABASES}}" we also need to output 
> the audit log(s) like what we do for most of queries analyzed by the Impala 
> FE at 
> [https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L188-L190].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to