Fang-Yu Rao created RANGER-5595:
-----------------------------------
Summary: RangerBasePlugin#grantRole() does not produce audit log
even though RangerAccessResultProcessor is provided as a non-null input argument
Key: RANGER-5595
URL: https://issues.apache.org/jira/browse/RANGER-5595
Project: Ranger
Issue Type: Task
Components: plugins, Ranger
Reporter: Fang-Yu Rao
We found
[RangerBasePlugin#grantRole()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L1030C59-L1036]
does not produce Ranger audit events even though we provide a non-null
{{RangerAccessResultProcessor}} when calling this method.
{code:java}
public void grantRole(GrantRevokeRoleRequest request,
RangerAccessResultProcessor resultProcessor) throws Exception {
LOG.debug("==> RangerBasePlugin.grantRole({})", request);
getAdminClient().grantRole(request);
LOG.debug("<== RangerBasePlugin.grantRole({})", request);
}
{code}
We should probably make {{grantRole()}} produce the respective Ranger audit
event when '{{resultProcessor}}' is not null. Notice that for
[RangerBasePlugin#grantAccess()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L1046-L1066],
we already produce the respective Ranger audit event when
'{{resultProcessor}}'.
This is probably the reason why we have the following in {{grantRole()}} at
https://github.com/apache/ranger/blob/3fd46db/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609-L612
where we additionally create the corresponding Ranger audit event.
{code:java}
...
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin,
username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER,
roles, result);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
...
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
