[jira] [Created] (IMPALA-15046) Produce Ranger audit events for role-related SHOW statements

Thu, 28 May 2026 13:50:44 -0700 

Fang-Yu Rao created IMPALA-15046:
------------------------------------

             Summary: Produce Ranger audit events for role-related SHOW 
statements
                 Key: IMPALA-15046
                 URL: https://issues.apache.org/jira/browse/IMPALA-15046
             Project: IMPALA
          Issue Type: Task
            Reporter: Fang-Yu Rao


When Apache Ranger is the authorization provider for Apache Hive, Hive produces 
Ranger audit events for the statements {{{}SHOW ROLES{}}}, {{{}SHOW ROLE GRANT 
USER/GROUP{}}}, and {{{}SHOW CURRENT ROLES{}}}. It would be good if Impala 
could produce Ranger audit events for those statements.
 - {{SHOW ROLES}} is processed by 
[RangerHiveAuthorizer#getAllRoles()|https://github.com/apache/ranger/blob/c5b55a4/hiveagent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L1168-L1220],
 and the following is used to produce the audit event.
{code:java}
            RangerAccessResult accessResult = createAuditEvent(hivePlugin, 
currentUserName, userNames, HiveOperationType.SHOW_ROLES, 
HiveAccessType.SELECT, null, result);
            hivePlugin.evalAuditPolicies(accessResult);
            auditHandler.processResult(accessResult);
            auditHandler.flushAudit();
{code}

 - {{SHOW ROLE GRANT USER/GROUP}} is processed by 
[RangerHiveAuthorizer#getRoleGrantInfoForPrincipal()|https://github.com/apache/ranger/blob/c5b55a4/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L457-L528],
 and the following is used to produce the audit event.
{code:java}
            RangerAccessResult accessResult = createAuditEvent(hivePlugin, 
currentUserName, userNames, HiveOperationType.SHOW_ROLE_GRANT, 
HiveAccessType.SELECT, principalInfo, result);
            hivePlugin.evalAuditPolicies(accessResult);
            auditHandler.processResult(accessResult);
            auditHandler.flushAudit();
{code}

 - {{SHOW CURRENT ROLES}} is processed by 
[RangerHiveAuthorizer#getCurrentRoleNames()|https://github.com/apache/ranger/blob/c5b55a4/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L1299-L1332],
 and the following is used to produce the audit event.
{code:java}
            RangerAccessResult accessResult = createAuditEvent(hivePlugin, 
user, userNames, HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, ret, 
result);
            hivePlugin.evalAuditPolicies(accessResult);
            auditHandler.processResult(accessResult);
            auditHandler.flushAudit();
{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to