[
https://issues.apache.org/jira/browse/RANGER-5595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated RANGER-5595:
--------------------------------
Description:
We found
[RangerBasePlugin#grantRole()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L1030C59-L1036]
does not produce Ranger audit events even though we provide a non-null
{{RangerAccessResultProcessor}} when calling this method.
{code:java}
public void grantRole(GrantRevokeRoleRequest request,
RangerAccessResultProcessor resultProcessor) throws Exception {
LOG.debug("==> RangerBasePlugin.grantRole({})", request);
getAdminClient().grantRole(request);
LOG.debug("<== RangerBasePlugin.grantRole({})", request);
}
{code}
We should probably make {{grantRole()}} produce the respective Ranger audit
event when '{{resultProcessor}}' is not null. Notice that for
[RangerBasePlugin#grantAccess()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L1046-L1066],
we already produce the respective Ranger audit event when
'{{resultProcessor}}' is not null.
This is probably the reason why we have the following in {{grantRole()}} at
https://github.com/apache/ranger/blob/3fd46db/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609-L612
where we additionally create the corresponding Ranger audit event.
{code:java}
...
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin,
username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER,
roles, result);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
...
{code}
was:
We found
[RangerBasePlugin#grantRole()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L1030C59-L1036]
does not produce Ranger audit events even though we provide a non-null
{{RangerAccessResultProcessor}} when calling this method.
{code:java}
public void grantRole(GrantRevokeRoleRequest request,
RangerAccessResultProcessor resultProcessor) throws Exception {
LOG.debug("==> RangerBasePlugin.grantRole({})", request);
getAdminClient().grantRole(request);
LOG.debug("<== RangerBasePlugin.grantRole({})", request);
}
{code}
We should probably make {{grantRole()}} produce the respective Ranger audit
event when '{{resultProcessor}}' is not null. Notice that for
[RangerBasePlugin#grantAccess()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L1046-L1066],
we already produce the respective Ranger audit event when
'{{resultProcessor}}'.
This is probably the reason why we have the following in {{grantRole()}} at
https://github.com/apache/ranger/blob/3fd46db/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609-L612
where we additionally create the corresponding Ranger audit event.
{code:java}
...
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin,
username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER,
roles, result);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
...
{code}
> RangerBasePlugin#grantRole() does not produce audit log even though
> RangerAccessResultProcessor is provided as a non-null input argument
> ----------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5595
> URL: https://issues.apache.org/jira/browse/RANGER-5595
> Project: Ranger
> Issue Type: Task
> Components: plugins, Ranger
> Reporter: Fang-Yu Rao
> Priority: Major
>
> We found
> [RangerBasePlugin#grantRole()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L1030C59-L1036]
> does not produce Ranger audit events even though we provide a non-null
> {{RangerAccessResultProcessor}} when calling this method.
> {code:java}
> public void grantRole(GrantRevokeRoleRequest request,
> RangerAccessResultProcessor resultProcessor) throws Exception {
> LOG.debug("==> RangerBasePlugin.grantRole({})", request);
> getAdminClient().grantRole(request);
> LOG.debug("<== RangerBasePlugin.grantRole({})", request);
> }
> {code}
> We should probably make {{grantRole()}} produce the respective Ranger audit
> event when '{{resultProcessor}}' is not null. Notice that for
> [RangerBasePlugin#grantAccess()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L1046-L1066],
> we already produce the respective Ranger audit event when
> '{{resultProcessor}}' is not null.
> This is probably the reason why we have the following in {{grantRole()}} at
> https://github.com/apache/ranger/blob/3fd46db/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L609-L612
> where we additionally create the corresponding Ranger audit event.
> {code:java}
> ...
> } finally {
> RangerAccessResult accessResult = createAuditEvent(hivePlugin,
> username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER,
> roles, result);
> auditHandler.processResult(accessResult);
> auditHandler.flushAudit();
> }
> ...
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
