Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/18656 )
Change subject: IMPALA-11382: Produce log for unauthorized SELECT on non-existing table ...................................................................... Patch Set 1: Code-Review+1 (1 comment) http://gerrit.cloudera.org:8080/#/c/18656/1//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/18656/1//COMMIT_MSG@9 PS1, Line 9: This patch revised the logic of Ranger audit log generation such that : unauthorized SELECT operation on non-existing tables would be produced : as well. : : In addition, this patch also fixed a subtle bug where an authorized : table event could be produced even though the authorization failed with : respect to a deny policy on a column in the same table. I struggled a bit to understand how the change leads to these different behaviors. Is my understanding right? - In case of selects, before this change we only kept column events - We only kept the first event that survived the filter above. - The two rules above led to logging only the first failed column authorization request, and in case there were no column request (non-existing tables), we didn't write anything to the audit log. - This change no longer filters out table events in select, and this fixes IMPALA-11382 while leads to log a table event instead of a column event in case the user had no privileges on the table, because the table event will come before the column events. -- To view, visit http://gerrit.cloudera.org:8080/18656 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I92b2a6acc920de1d2d14b991c374a4550e742f7b Gerrit-Change-Number: 18656 Gerrit-PatchSet: 1 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Kurt Deschler <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Thu, 23 Jun 2022 12:12:37 +0000 Gerrit-HasComments: Yes
