Fang-Yu Rao has uploaded a new patch set (#3). ( http://gerrit.cloudera.org:8080/16524 )
Change subject: IMPALA-10192: Filter out redundant AuthzAuditEvent's for column masking ...................................................................... IMPALA-10192: Filter out redundant AuthzAuditEvent's for column masking We found that Ranger would generate an AuthzAuditEvent as long as there exists a column masking policy corresponding to the column even though the policy does not apply to the requesting user. This resulted in an IllegalStateException if a user "A" submits a SELECT query against a table that has a column specified in a column masking policy when the policy does not apply to "A", i.e., the field of 'Select User' for this policy in the Ranger web UI does not contain "A". For such an AuthzAuditEvent, its field of 'accessType' will not be one of the supported mask types since its corresponding accessResult.isMaskEnabled() would evaluates to false, indicating that there is no matching column masking policy associated with the user "A" and thus the AuthzAuditEvent will not be post-processed by Impala in RangerAuthorizationCheker#createColumnMask(). But since we did not filter out such an AuthzAuditEvent when it was generated and returned from RangerBasePlugin#evalDataMaskPolicies(), we failed the check that requires every AuthzAuditEvent be column masking-related in RangerAuthorizationContext#stashAuditEvents(). To address this issue, in this patch we filter out such an AuthzAuditEvent after each call to RangerBasePlugin#evalDataMaskPolicies() so that no redundant AuthzAuditEvent is generated. Furthermore, we also revise all the checks for the generated AuthzAuditEvent's due to the evaluation of column masking policies so that a failed check would also result in an entry in the error log. Testing: - Added a new column masking policy associated with a non-matching user in RangerAuditLogTest#testAuditsForColumnMasking() to verify that the redundant AuthzAuditEvent is removed. - Verified that the patch passes the exhaustive tests in the DEBUG build. Change-Id: I1dbf65874003523b5176680e42f26fa2114c229b --- M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationContext.java M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java 3 files changed, 53 insertions(+), 9 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/24/16524/3 -- To view, visit http://gerrit.cloudera.org:8080/16524 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I1dbf65874003523b5176680e42f26fa2114c229b Gerrit-Change-Number: 16524 Gerrit-PatchSet: 3 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]>
