[ 
https://issues.apache.org/jira/browse/IMPALA-14956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18095621#comment-18095621
 ] 

ASF subversion and git services commented on IMPALA-14956:
----------------------------------------------------------

Commit 00ca633a3c8472f6097abc7be0dc13e477325ac8 in impala's branch 
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=00ca633a3 ]

IMPALA-14956: Produce Ranger audit events for GRANT/REVOKE ROLE

Due to RANGER-5595, Impala could not produce Ranger audit events for
the GRANT/REVOKE ROLE statements. This patch works around this issue by
mimicking what RangerHiveAuthorizer#grantRole() does at
https://github.com/apache/ranger/blob/3fd46db/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609-L612.

On a related note, adding the test cases for the GRANT/REVOKE privilege
statements is not in the scope of this JIRA. IMPALA-15011 was created to
keep track of this.

Testing:
 - Added Java test cases to verify Ranger audit events could be produced
   for the GRANT/REVOKE ROLE statements.

Change-Id: I7e0527af0532749817ea538c253262a5e2a65c61
Reviewed-on: http://gerrit.cloudera.org:8080/24315
Reviewed-by: Michael Smith <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Jason Fehr <[email protected]>


> Create Ranger audit events for GRANT/REVOKE ROLE statements
> -----------------------------------------------------------
>
>                 Key: IMPALA-14956
>                 URL: https://issues.apache.org/jira/browse/IMPALA-14956
>             Project: IMPALA
>          Issue Type: Task
>            Reporter: Fang-Yu Rao
>            Assignee: Fang-Yu Rao
>            Priority: Major
>
> Take the {{GRANT ROLE}} statement for example, when Ranger is the 
> authorization provider for Apache Hive, we execute 
> "{{{}createAuditEvent(){}}}" to produce the respective audit event as follows 
> ([https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609])
>  to produce its Ranger audit event. We should produce a Ranger audit event 
> for the GRANT/REVOKE statements too in Impala.
> {code:java}
>     public void grantRole(List<HivePrincipal> hivePrincipals, List<String> 
> roles, boolean grantOption, HivePrincipal grantorPrinc) throws 
> HiveAccessControlException {
>         LOG.debug("RangerHiveAuthorizerBase.grantRole()");
>         boolean                result       = false;
>         RangerHiveAuditHandler auditHandler = new 
> RangerHiveAuditHandler(hivePlugin.getConfig());
>         String                 username     = 
> getGrantorUsername(grantorPrinc);
>         List<String>           principals   = new ArrayList<>();
>         try {
>             GrantRevokeRoleRequest request   = new GrantRevokeRoleRequest();
> ...
>             hivePlugin.grantRole(request, auditHandler);
>             result = true;
>         } catch (Exception excp) {
>             throw new HiveAccessControlException(excp);
>         } finally {
>             RangerAccessResult accessResult = createAuditEvent(hivePlugin, 
> username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER, 
> roles, result);
>             auditHandler.processResult(accessResult);
>             auditHandler.flushAudit();
>         }
>     }
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to