Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/15412 )
Change subject: IMPALA-9350: Produce Ranger audits for column masking ...................................................................... Patch Set 5: Code-Review+1 (2 comments) http://gerrit.cloudera.org:8080/#/c/15412/3/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java File fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java: http://gerrit.cloudera.org:8080/#/c/15412/3/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java@419 PS3, Line 419: TClientRequest clientRequest; : AuthorizationContext authzCtx = null; : : try { : clientRequest = queryCtx_.getClient_request(); : authzCtx = authzChecker.createAuthorizationContext(true, : clientRequest.isSetRedacted_stmt() ? : clientRequest.getRedacted_stmt() : clientRequest.getStmt(), : queryCtx_.getSession(), Optional.of(timeline_)); : // TODO: Generating column masking > Thanks Quanlong for your insightful comments and questions! Yes, I agree wi A solution/hack to generate the audit events after analyzes would be to call to the ranger plugin in two passes: 1. analyzes: collect the mask requests (e.g. 'RangerAccessRequest's) and keep calling evalDataMaskPolicies without auditHandler 2. authorization: "replay" the collected requests, possibly filtering duplicates, now with auditHandler passed to evalDataMaskPolicies I think that this would work and calling the API twice shouldn't make things much slower, but it still feels like a hack. I am ok with keeping this as a TODO http://gerrit.cloudera.org:8080/#/c/15412/5/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java File fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java: http://gerrit.cloudera.org:8080/#/c/15412/5/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java@366 PS5, Line 366: evalDataMaskPolicies(req, auditHandler); What will happen if the user doesn't have an privilege on the table? Will this throw an exception? This is not a new issue, but it would be good to check whether we can leak this exception out of AnalysisContex.analyze(). -- To view, visit http://gerrit.cloudera.org:8080/15412 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9d8a1181234dcef580f68f56c24ad7e962cfe58e Gerrit-Change-Number: 15412 Gerrit-PatchSet: 5 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Thu, 02 Apr 2020 14:02:10 +0000 Gerrit-HasComments: Yes
