[jira] [Updated] (IMPALA-14956) Create Ranger audit events for GRANT/REVOKE statements

Wed, 06 May 2026 18:17:11 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-14956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fang-Yu Rao updated IMPALA-14956:
---------------------------------
    Summary: Create Ranger audit events for GRANT/REVOKE statements  (was: 
Create Ranger audit events for GRANT/REVOKE statement)

> Create Ranger audit events for GRANT/REVOKE statements
> ------------------------------------------------------
>
>                 Key: IMPALA-14956
>                 URL: https://issues.apache.org/jira/browse/IMPALA-14956
>             Project: IMPALA
>          Issue Type: Task
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> Take the {{GRANT ROLE}} statement for example, when Ranger is the 
> authorization provider for Apache Hive, we execute 
> "{{{}createAuditEvent(){}}}" to produce the respective audit event as follows 
> ([https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609])
>  to produce its Ranger audit event. We should produce a Ranger audit event 
> for the GRANT/REVOKE statements too in Impala.
> {code:java}
>     public void grantRole(List<HivePrincipal> hivePrincipals, List<String> 
> roles, boolean grantOption, HivePrincipal grantorPrinc) throws 
> HiveAccessControlException {
>         LOG.debug("RangerHiveAuthorizerBase.grantRole()");
>         boolean                result       = false;
>         RangerHiveAuditHandler auditHandler = new 
> RangerHiveAuditHandler(hivePlugin.getConfig());
>         String                 username     = 
> getGrantorUsername(grantorPrinc);
>         List<String>           principals   = new ArrayList<>();
>         try {
>             GrantRevokeRoleRequest request   = new GrantRevokeRoleRequest();
> ...
>             hivePlugin.grantRole(request, auditHandler);
>             result = true;
>         } catch (Exception excp) {
>             throw new HiveAccessControlException(excp);
>         } finally {
>             RangerAccessResult accessResult = createAuditEvent(hivePlugin, 
> username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER, 
> roles, result);
>             auditHandler.processResult(accessResult);
>             auditHandler.flushAudit();
>         }
>     }
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to