----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71693/#review218464 -----------------------------------------------------------
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java Lines 47 (patched) <https://reviews.apache.org/r/71693/#comment306195> Please add show current roles command as well. hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java Lines 105 (patched) <https://reviews.apache.org/r/71693/#comment306193> Add one more command for show current roles. Also grant and revoke role commands are supported for group(s) and role(s) as well. Multiple users/groups/roles can be specified with comma separated values. These commands also support with or without "ADMIN OPTION". Not sure if we want to capture it here. Format of these commands are: GRANT role_name [, role_name] ... TO principal_specification [, principal_specification] ... [ WITH ADMIN OPTION ]; principal_specification : USER user | GROUP group | ROLE role REVOKE [ADMIN OPTION FOR] role_name [, role_name] ... FROM principal_specification [, principal_specification] ... ; principal_specification : USER user | GROUP group | ROLE role hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java Lines 106 (patched) <https://reviews.apache.org/r/71693/#comment306194> Similarly show role grant command is also supported for group and role. SHOW ROLE GRANT (USER|GROUP|ROLE) principal_name; hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java Lines 435 (patched) <https://reviews.apache.org/r/71693/#comment306197> I think we need to pass on hivePrincipals as to createAuditEvent as these are the ones that are granted to a role or revoked from a role. hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java Line 469 (original), 509 (patched) <https://reviews.apache.org/r/71693/#comment306198> Similar to grantRole, hivePrincipals should be caputured in the audit event. For each HivePrincipal, we can get the type (user, group, or role). principal.getType() hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java Lines 2533 (patched) <https://reviews.apache.org/r/71693/#comment306196> Nit pick - Method name mispelled? createRangerHiveAccessRequest hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java Lines 2596 (patched) <https://reviews.apache.org/r/71693/#comment306199> Please review Grant and Revoke commands as commented above. - Sailaja Polavarapu On Oct. 29, 2019, 5:04 a.m., Ramesh Mani wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71693/ > ----------------------------------------------------------- > > (Updated Oct. 29, 2019, 5:04 a.m.) > > > Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, > Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2631 > https://issues.apache.org/jira/browse/RANGER-2631 > > > Repository: ranger > > > Description > ------- > > RANGER-2631: Ranger Audit logs for for SHOW commands related to ROLE > operations in Hive > > > Diffs > ----- > > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java > 765da59 > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > f10bde4 > > > Diff: https://reviews.apache.org/r/71693/diff/1/ > > > Testing > ------- > > Testing done by executing following hive commands > CREATE ROLE, DROP ROLE, SHOW ROLES, SHOW PRINCIPAL <role>, GRANT ROLE, REVOKE > ROLE, SHOW CURRENT ROLE > > > Thanks, > > Ramesh Mani > >
