[
https://issues.apache.org/jira/browse/IMPALA-14956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18095621#comment-18095621
]
ASF subversion and git services commented on IMPALA-14956:
----------------------------------------------------------
Commit 00ca633a3c8472f6097abc7be0dc13e477325ac8 in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=00ca633a3 ]
IMPALA-14956: Produce Ranger audit events for GRANT/REVOKE ROLE
Due to RANGER-5595, Impala could not produce Ranger audit events for
the GRANT/REVOKE ROLE statements. This patch works around this issue by
mimicking what RangerHiveAuthorizer#grantRole() does at
https://github.com/apache/ranger/blob/3fd46db/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609-L612.
On a related note, adding the test cases for the GRANT/REVOKE privilege
statements is not in the scope of this JIRA. IMPALA-15011 was created to
keep track of this.
Testing:
- Added Java test cases to verify Ranger audit events could be produced
for the GRANT/REVOKE ROLE statements.
Change-Id: I7e0527af0532749817ea538c253262a5e2a65c61
Reviewed-on: http://gerrit.cloudera.org:8080/24315
Reviewed-by: Michael Smith <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Jason Fehr <[email protected]>
> Create Ranger audit events for GRANT/REVOKE ROLE statements
> -----------------------------------------------------------
>
> Key: IMPALA-14956
> URL: https://issues.apache.org/jira/browse/IMPALA-14956
> Project: IMPALA
> Issue Type: Task
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Take the {{GRANT ROLE}} statement for example, when Ranger is the
> authorization provider for Apache Hive, we execute
> "{{{}createAuditEvent(){}}}" to produce the respective audit event as follows
> ([https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609])
> to produce its Ranger audit event. We should produce a Ranger audit event
> for the GRANT/REVOKE statements too in Impala.
> {code:java}
> public void grantRole(List<HivePrincipal> hivePrincipals, List<String>
> roles, boolean grantOption, HivePrincipal grantorPrinc) throws
> HiveAccessControlException {
> LOG.debug("RangerHiveAuthorizerBase.grantRole()");
> boolean result = false;
> RangerHiveAuditHandler auditHandler = new
> RangerHiveAuditHandler(hivePlugin.getConfig());
> String username =
> getGrantorUsername(grantorPrinc);
> List<String> principals = new ArrayList<>();
> try {
> GrantRevokeRoleRequest request = new GrantRevokeRoleRequest();
> ...
> hivePlugin.grantRole(request, auditHandler);
> result = true;
> } catch (Exception excp) {
> throw new HiveAccessControlException(excp);
> } finally {
> RangerAccessResult accessResult = createAuditEvent(hivePlugin,
> username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER,
> roles, result);
> auditHandler.processResult(accessResult);
> auditHandler.flushAudit();
> }
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]