Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/15412 )
Change subject: IMPALA-9350: Produce Ranger audits for column masking ...................................................................... Patch Set 8: (5 comments) http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java File fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java: http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java@518 PS8, Line 518: authzCtx > After query rewrite, TableRefs are reset and will be masked again in the re Thanks Quanlong for pointing this out! You are right. If a query requires a rewrite operation, then SubqueryRewriter()#rewrite() will be called at https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java#L476, which in turn results in one or more duplicate audits on the same column. Furthermore, after the rewrite operation, 'reAnalyze' will be set to true, resulting analyze() being called again at https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java#L507, which also results in one more duplicate audit on the same column. Take the query "select id, string_col from functional.alltypes a where exists (select id from functional.alltypestiny where id = a.id) order by id" for example, in total there will be 4 audit events for the column 'string_col' of the table 'functional.alltypestiny' given that there is a column masking policy for the column 'string_col' of the table 'functional.alltypestiny'. I think it may be better that we fix this in IMPALA-9597 since I may need more time investigating the issue. http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/main/java/org/apache/impala/authorization/TableMask.java File fe/src/main/java/org/apache/impala/authorization/TableMask.java: http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/main/java/org/apache/impala/authorization/TableMask.java@26 PS8, Line 26: import org.apache.impala.authorization.ranger.RangerBufferAuditHandler; > unused import Thanks for catching this! I have removed it. http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java File fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java: http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java@222 PS8, Line 222: i = i + 1 > nit: ++i Done http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java@264 PS8, Line 264: i = i + 1 > nit: ++i Done http://gerrit.cloudera.org:8080/#/c/15412/8/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java@307 PS8, Line 307: i = i + 1 > nit: ++i Done -- To view, visit http://gerrit.cloudera.org:8080/15412 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9d8a1181234dcef580f68f56c24ad7e962cfe58e Gerrit-Change-Number: 15412 Gerrit-PatchSet: 8 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Fri, 03 Apr 2020 21:36:59 +0000 Gerrit-HasComments: Yes
