> On April 22, 2025, 1:13 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java > > Line 666 (original), 666 (patched) > > <https://reviews.apache.org/r/75377/diff/2/?file=2297962#file2297962line666> > > > > It seems updates in GdsDBStore, GdsREST and > > RangerGdsDataShareInDatasetService may be avoided by having all admin audit > > logic contained within RangerAuditedModelService.
With the current implementation, all updates in GdsDBStore, GdsREST, and RangerGdsDataShareInDatasetService already go through RangerAuditedModelService::createTransactionLog. This patch adds additional logic through processHierarchicalLogs to generate hierarchy-level logs, in addition to the existing createTransactionLog behavior. This doesn't disrupt the existing audit logic. However, if you see any specific issues or concerns, could you please share more details? > On April 22, 2025, 1:13 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java > > Lines 203 (patched) > > <https://reviews.apache.org/r/75377/diff/2/?file=2297963#file2297963line203> > > > > Is `isDataShareUpdated` used to skip admin audit log when a data share > > is created? Such optimization may not be useful and creates unnecessary > > noise in the code. Please review and revert. With the existing logic, DataShare creation already triggers the generation of logs for itself and all hierarchically impacted entities. However, this is not the case during updates to a DataShare, where such comprehensive logging is not present. Without the isDataShareUpdated check, the latest patch may lead to a duplicate set of logs being generated for the DataShare creation scenario, since the hierarchical logs would be triggered again unnecessarily. To prevent this redundancy and maintain accurate logging, it was necessary to differentiate between DataShare Create and Update events. Let me know if further clarification or changes are needed. - Radhika ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75377/#review227307 ----------------------------------------------------------- On April 22, 2025, 8:58 p.m., Radhika Kundam wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75377/ > ----------------------------------------------------------- > > (Updated April 22, 2025, 8:58 p.m.) > > > Review request for ranger, Madhan Neethiraj and Ramesh Mani. > > > Bugs: RANGER-5170 > https://issues.apache.org/jira/browse/RANGER-5170 > > > Repository: ranger > > > Description > ------- > > Improve Ranger logging to capture all hierarchical events for better > visibility and traceability. > > Currently, Ranger logs only direct changes to an entity, missing related > updates across interconnected entities. For example, when a resource is > created or updated, only a resource log is generated, making it difficult to > track associated changes in dependent entities. > > With this change, Ranger will generate logs for all impacted entities in the > hierarchy. Example: > > If a resource is modified, logs will be created for: > Resource > Datashare (if the resource is part of a datashare) > DataShareInDataset (if the datashare is linked to a dataset) > Dataset > > This transaction will log all the hierarchical logs and it'll include details > of the changed resource to ensure complete visibility. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java > b1431cf71 > > security-admin/src/main/java/org/apache/ranger/db/XXGdsDatasetPolicyMapDao.java > b1ff36ad0 > security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java 84009c3fa > > security-admin/src/main/java/org/apache/ranger/service/RangerAuditedModelService.java > edf514b1f > > security-admin/src/main/java/org/apache/ranger/service/RangerGdsDataShareInDatasetService.java > cfe623eae > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 3559877d5 > > > Diff: https://reviews.apache.org/r/75377/diff/3/ > > > Testing > ------- > > Tested locally.Attached example scenario of logs before and after the change. > > > File Attachments > ---------------- > > Example Logs with updated patch > > https://reviews.apache.org/media/uploaded/files/2025/04/01/d804c504-c65c-40e4-953b-5632c265057f__LogsBeforeAndAfterHierarchicalLogsPatch.png > > > Thanks, > > Radhika Kundam > >
