Fang-Yu Rao has uploaded a new patch set (#2). ( http://gerrit.cloudera.org:8080/18850 )
Change subject: IMPALA-11494: Don't always produce Ranger audit log for authorized query ...................................................................... IMPALA-11494: Don't always produce Ranger audit log for authorized query Before this patch, when Impala could not resolve a given table '<db_name>.<tbl_name>' during the query analysis, Impala would still attempt to register 2 privilege requests. One was for the table '<tbl_name>' under the database '<db_name>' and the other was for the table '<db_name>' under the database 'default'. The first one should be registered since Impala had to determine whether such an access should be allowed (even though in fact the table did not exist), whereas the second one was incorrect in that 'default.<db_name>' definitely was not '<db_name>.<tbl_name>' in general. Furthermore, Impala always sent audit log entries to the Ranger server for an authorized query against non-existing table(s). The 2 facts described above resulted in Impala producing Ranger audit log entries for the tables '<db_name>.<tbl_name>' and 'default.<db_name>' when a requesting user granted sufficient privileges on the databases of '<db_name>' and 'default' submitted a query against a non-existing table '<db_name>.<tbl_name>'. None of the audit log entries should be generated because i) the privilege request for '<db_name>.<tbl_name>' was allowed and '<db_name>.<tbl_name>' did not exist, and ii) 'default.<db_name>' did not correspond to a table. This patch fixes the 2 issues mentioned above so that Impala will not generate any Ranger audit log entry for an authorized query against a non-existing table. Testing: - Added a frontend test case to verify no Ranger audit log entry will be produced for an authorized query against a non-existing table. Change-Id: I701652e457d3118f43249e83be933713b17ce48f --- M fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java M fe/src/main/java/org/apache/impala/analysis/Analyzer.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java 7 files changed, 71 insertions(+), 21 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/50/18850/2 -- To view, visit http://gerrit.cloudera.org:8080/18850 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I701652e457d3118f43249e83be933713b17ce48f Gerrit-Change-Number: 18850 Gerrit-PatchSet: 2 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Aman Sinha <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]>
