Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/15412 )
Change subject: IMPALA-9350: Produce Ranger audits for column masking ...................................................................... Patch Set 8: Code-Review+2 (6 comments) Thanks for fixing this! http://gerrit.cloudera.org:8080/#/c/15412/3/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java File fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java: http://gerrit.cloudera.org:8080/#/c/15412/3/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java@419 PS3, Line 419: TClientRequest clientRequest; : AuthorizationContext authzCtx = null; : : try { : clientRequest = queryCtx_.getClient_request(); : authzCtx = authzChecker.createAuthorizationContext(true, : clientRequest.isSetRedacted_stmt() ? : clientRequest.getRedacted_stmt() : clientRequest.getStmt(), : queryCtx_.getSession(), Optional.of(timeline_)); : // TODO (IMPALA-9597): Generating > A solution/hack to generate the audit events after analyzes would be to cal Yeah, we can even "replay" the requests after the plan is generated so we can avoid audits on non-materialized columns. http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java File fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java: http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java@518 PS8, Line 518: authzCtx After query rewrite, TableRefs are reset and will be masked again in the re-analyze phase. Will reusing the same authzCtx generates double audit events for column masking? If so, we can fix this in IMPALA-9597 as well. Or can we just simply use a new authzCtx? http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/main/java/org/apache/impala/authorization/TableMask.java File fe/src/main/java/org/apache/impala/authorization/TableMask.java: http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/main/java/org/apache/impala/authorization/TableMask.java@26 PS8, Line 26: import org.apache.impala.authorization.ranger.RangerBufferAuditHandler; unused import http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java File fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java: http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java@222 PS8, Line 222: i = i + 1 nit: ++i http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java@264 PS8, Line 264: i = i + 1 nit: ++i http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java@307 PS8, Line 307: i = i + 1 nit: ++i -- To view, visit http://gerrit.cloudera.org:8080/15412 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9d8a1181234dcef580f68f56c24ad7e962cfe58e Gerrit-Change-Number: 15412 Gerrit-PatchSet: 8 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Fri, 03 Apr 2020 08:30:50 +0000 Gerrit-HasComments: Yes
