[jira] [Commented] (IMPALA-8716) Log a a group of privileges into a single audit event

ASF subversion and git services (JIRA) Tue, 02 Jul 2019 07:03:24 -0700


    [ 
https://issues.apache.org/jira/browse/IMPALA-8716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16877000#comment-16877000
 ]


ASF subversion and git services commented on IMPALA-8716:
---------------------------------------------------------

Commit aee0abd76b762e57ce9f0a2e40a9a8b4f97dc986 in impala's branch 
refs/heads/master from Fredy Wijaya
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=aee0abd ]

IMPALA-8716: Log a group of privileges into a single audit event.

This patch updates the audit log handler to group a privilege that
consists of multiple privileges into a single audit event.

For example if we run "show partitions foo.bar" and we have
SELECT privilege on table "foo.bar", before this patch, we would be
creating 2 audit events:
- Attempt to check if there's INSERT privilege on table "foo.bar"
  Result: denied, access type: insert, resource: foo.bar
- Attempt to check if there's SELECT privilege on table "foo.bar"
  Result: allowed, access type: select, resource: foo.bar

After this patch, we will only create a single audit event, e.g.
Result: allowed, access type: view_metadata, resource: foo.bar

Testing:
- Updated tests in RangerAuditLogTest
- Ran FE tests

Change-Id: Ib53102bc1ceaf9d62544090dc00f3231fae0efca
Reviewed-on: http://gerrit.cloudera.org:8080/13744
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>


> Log a a group of privileges into a single audit event
> -----------------------------------------------------
>
>                 Key: IMPALA-8716
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8716
>             Project: IMPALA
>          Issue Type: Sub-task
>          Components: Frontend
>            Reporter: Fredy Wijaya
>            Assignee: Fredy Wijaya
>            Priority: Major
>             Fix For: Impala 3.3.0
>
>
> Some privileges, such as VIEW_METADATA consists of multiple privileges 
> (INSERT, SELECT, REFRESH). For example if we run "show partitions 
> foo.barfoo.bar" and we have SELECT privilege on table "foo.bar", we will be 
> creating 2 audit logs:
> - Attempt to check if there's INSERT privilege on table "foo.bar" -- denied, 
> INSERT, foo.bar
> - Attempt to check if there's SELECT privilege on table "foo.bar" -- allowed, 
> SELECT, foo.bar
> This can be confusing. A better solution is to log this as a single audit 
> log, e.g.
> - allowed, VIEW_METADATA, foo.bar



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

[jira] [Commented] (IMPALA-8716) Log a a group of privileges into a single audit event

Reply via email to