Fang-Yu Rao has uploaded a new patch set (#2). ( http://gerrit.cloudera.org:8080/18656 )
Change subject: IMPALA-11382: Produce log for unauthorized SELECT on non-existing table ...................................................................... IMPALA-11382: Produce log for unauthorized SELECT on non-existing table This patch revised the logic of Ranger audit log generation such that unauthorized SELECT operation on non-existing tables would be produced as well. Note that after this change, in the case of an unauthorized SELECT operation on an existing table, Impala will produce a table event instead of the first failing column event because we do not filter out the table event for an unauthorized SELECT operation like what we did before. In addition, this patch fixed a subtle bug where an authorized table event could be produced even though the authorization failed due to a deny policy on a column in the same table. The code comment in RangerAuthorizationChecker#authorizeTableAccess() was also updated to reflect Impala's current behavior with respect to Ranger audit log generation. Testing: - Added a test case to verify the log corresponding to an unauthorized SELECT operation on a non-existing table is produced. - Manually verified that an authorized table event won't be produced when the requesting user is granted the SELECT privilege on a table but is denied access to a column in the same table. Change-Id: I92b2a6acc920de1d2d14b991c374a4550e742f7b --- M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java 2 files changed, 43 insertions(+), 21 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/56/18656/2 -- To view, visit http://gerrit.cloudera.org:8080/18656 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I92b2a6acc920de1d2d14b991c374a4550e742f7b Gerrit-Change-Number: 18656 Gerrit-PatchSet: 2 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Kurt Deschler <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]>
