[
https://issues.apache.org/jira/browse/IMPALA-11494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao resolved IMPALA-11494.
----------------------------------
Fix Version/s: Impala 4.2.0
Resolution: Fixed
Resolve the issue since the fix has been merged.
> Ranger audit log entries generated for authorized query against non-existing
> tables
> -----------------------------------------------------------------------------------
>
> Key: IMPALA-11494
> URL: https://issues.apache.org/jira/browse/IMPALA-11494
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 4.0.0, Impala 4.1.0
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
> Fix For: Impala 4.2.0
>
>
> We found that Impala will generate (confusing) Ranger audit log entries for a
> query against non-existing tables when the query is authorized (i.e., no
> {{AuthorizationException}} thrown).
> Specifically, to reproduce the issue, it suffices to perform the following
> steps.
> # As the user '{{{}admin{}}}', execute in Impala shell "{{{}GRANT ALL ON
> DATABASE functional to user <user_name>{}}}" and "{{{}GRANT ALL ON DATABASE
> default to user <user_name>{}}}".
> # Set a break point at
> [auditHandler.flush()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L197]
> and attach a debugger to the Impala daemon.
> # As the user '{{{}<user_name>{}}}', execute in Impala shell "{{{}SELECT *
> FROM functional.test_tbl_01{}}}", where '{{{}functional.test_tbl_01{}}}' is a
> non-existing table.
> # Use the debugger to inspect the produced {{{}AuthzAuditEvent{}}}'s. We
> will find out that there are 2 audit log entries generated like the
> following. The first is for the table '{{{}functional/test_tbl_01{}}}' and
> the second is for the table '{{{}default/functional{}}}'. This could be seen
> in the field of '{{{}resourcePath{}}}' in an {{{}AuthzAuditEvent{}}}.
> {code:java}
> 0 = {AuthzAuditEvent@6887}
> "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed
> Aug 10 17:10:29 PDT
> 2022;accessType=select;resourcePath=functional/test_tbl_01;resourceType=@table;action=select;accessResult=1;agentId=impala;policyId=12;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select
> * from
> functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=af92b724-1038-4a2c-9295-2bf6e7fbebe8-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=1;additionalInfo=null}"
> 1 = {AuthzAuditEvent@6888}
> "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed
> Aug 10 17:10:29 PDT
> 2022;accessType=select;resourcePath=default/functional;resourceType=@table;action=select;accessResult=0;agentId=impala;policyId=-1;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select
> * from
> functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=c090e009-d1a5-47ff-8b1e-87a9dfa64824-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=null;additionalInfo=null}"
> {code}
> We should not generate such confusing audit log entries for an authorized
> query against non-existing tables.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
