Fang-Yu Rao created IMPALA-14518:
------------------------------------
Summary: Consider producing Ranger audit event for SHOW DATABASES
Key: IMPALA-14518
URL: https://issues.apache.org/jira/browse/IMPALA-14518
Project: IMPALA
Issue Type: Improvement
Reporter: Fang-Yu Rao
Assignee: Fang-Yu Rao
Currently when Ranger is the authorization provider, Impala does not create a
privilege request for the command. As a result, Impala does not convert such a
privilege request to {{RangerAccessRequestImpl}} and consult the Ranger plug-in
about whether the requesting user is allowed to execute this command.
It would be good if we also produce such a privilege request so that we could
produce an audit event for SHOW DATABASES. In {{checkPrivileges()}} of
[RangerHiveAuthorizer.java|https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java],
Hive's Ranger plug-in does the following to create a privilege request. It
should be possible for Impala to do the same.
{code:java}
// this should happen only for SHOWDATABASES
if (hiveOpType == HiveOperationType.SHOWDATABASES) {
RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE,
null);
RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource,
user, groups, roles, hiveOpType.name(), HiveAccessType.USE, context,
sessionContext);
}{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
