> On Aug. 8, 2018, 3:46 p.m., Arjun Mishra wrote: > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java > > Line 1619 (original), 1571 (patched) > > <https://reviews.apache.org/r/68268/diff/1/?file=2070542#file2070542line1635> > > > > Why don't we have an audit log for revoking owner privileges? > > Sergio Pena wrote: > Because there is not information about what is being revoked. The revoke > happens by the revokeOwnerPrivileges() call. > > I initially though on breaking the code to allow auditing the revoke, but > something special of the OWNER privilege is that only one role or user can > have it and it cannot be revoked. So, if you grant the OWNER to a user or > role, it immediatly means nobody else has that privilege, so in this case, it > does not make sense to log that as the OWNER privilege is assigned to one > user or role. > > Arjun Mishra wrote: > So are you saying we can never revoke owner privileges? If yes then I am > ok with the change. I would think the owner privilege would get revoked by > deleting the hive object. And I know Sentry gets notified of it
The owner and any other privilege is deleted by Sentry when an object is deleted on HMS. That's (for some reason) hasn't been audited. We might want to audit that too. And yes, the OWNER privilege cannot be revoked, it can only be transferred to another user. - Sergio ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68268/#review206980 ----------------------------------------------------------- On Aug. 8, 2018, 2:29 p.m., Sergio Pena wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68268/ > ----------------------------------------------------------- > > (Updated Aug. 8, 2018, 2:29 p.m.) > > > Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li. > > > Bugs: sentry-2157 > https://issues.apache.org/jira/browse/sentry-2157 > > > Repository: sentry > > > Description > ------- > > This patch logs owner privileges grants and revokes. > > > Diffs > ----- > > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java > 61f9168b1970144dbf0b7a7378f2d25e70f1761d > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/audit/SentryAuditLogger.java > PRE-CREATION > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java > 61becceac881443b02182e6ab1012add4c046499 > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java > 6479a6055e8c7087f0e484080ec9d46a9c146212 > > sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java > 307f38eadb65bf12dc6225cfe43a5d590657d055 > > > Diff: https://reviews.apache.org/r/68268/diff/1/ > > > Testing > ------- > > I run the patch in a cluster and the audit logs is displaying the correct > messages. > > {"serviceName":"Sentry-Service","userName":"ubuntu","impersonator":"","ipAddress":"/127.0.0.1","operation":"GRANT_PRIVILEGE","eventTime":"1533738512795","operationText":"OWNER > privilege granted to USER: > sergio","allowed":"true","databaseName":"default","tableName":"t2","column":null,"resourcePath":null,"objectType":"PRINCIPAL"} > > > Thanks, > > Sergio Pena > >
