> On Aug. 8, 2018, 3:46 p.m., Arjun Mishra wrote: > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java > > Line 1619 (original), 1571 (patched) > > <https://reviews.apache.org/r/68268/diff/1/?file=2070542#file2070542line1635> > > > > Why don't we have an audit log for revoking owner privileges? > > Sergio Pena wrote: > Because there is not information about what is being revoked. The revoke > happens by the revokeOwnerPrivileges() call. > > I initially though on breaking the code to allow auditing the revoke, but > something special of the OWNER privilege is that only one role or user can > have it and it cannot be revoked. So, if you grant the OWNER to a user or > role, it immediatly means nobody else has that privilege, so in this case, it > does not make sense to log that as the OWNER privilege is assigned to one > user or role.
So are you saying we can never revoke owner privileges? If yes then I am ok with the change. I would think the owner privilege would get revoked by deleting the hive object. And I know Sentry gets notified of it - Arjun ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68268/#review206980 ----------------------------------------------------------- On Aug. 8, 2018, 2:29 p.m., Sergio Pena wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68268/ > ----------------------------------------------------------- > > (Updated Aug. 8, 2018, 2:29 p.m.) > > > Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li. > > > Bugs: sentry-2157 > https://issues.apache.org/jira/browse/sentry-2157 > > > Repository: sentry > > > Description > ------- > > This patch logs owner privileges grants and revokes. > > > Diffs > ----- > > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java > 61f9168b1970144dbf0b7a7378f2d25e70f1761d > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/audit/SentryAuditLogger.java > PRE-CREATION > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java > 61becceac881443b02182e6ab1012add4c046499 > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java > 6479a6055e8c7087f0e484080ec9d46a9c146212 > > sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java > 307f38eadb65bf12dc6225cfe43a5d590657d055 > > > Diff: https://reviews.apache.org/r/68268/diff/1/ > > > Testing > ------- > > I run the patch in a cluster and the audit logs is displaying the correct > messages. > > {"serviceName":"Sentry-Service","userName":"ubuntu","impersonator":"","ipAddress":"/127.0.0.1","operation":"GRANT_PRIVILEGE","eventTime":"1533738512795","operationText":"OWNER > privilege granted to USER: > sergio","allowed":"true","databaseName":"default","tableName":"t2","column":null,"resourcePath":null,"objectType":"PRINCIPAL"} > > > Thanks, > > Sergio Pena > >
