Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/21930 )
Change subject: IMPALA-12648: Add KILL QUERY statement ...................................................................... Patch Set 48: (1 comment) > Patch Set 7: > > (2 comments) > > I left some thoughts on how to generate a Ranger audit event that accurately > reflects whether the requesting user is authorized to execute the KILL QUERY > statement. > > I think for this patch it's okay if we produce an accurate Ranger audit event > only when the requesting user has the ALL privilege on SERVER. We could > resolve the general case, i.e., requesting user is a non-administrative user, > in a follow-up JIRA. > > Thanks! I left an additional comment for myself. Will create a follow-up JIRA to keep track of this. http://gerrit.cloudera.org:8080/#/c/21930/6/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java File fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java: http://gerrit.cloudera.org:8080/#/c/21930/6/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java@185 PS6, Line 185: setRetainAudits(false) > Thanks! I've learned a lot from your comments! I think your idea makes sens This is a note for myself. I just realized in the case when the requesting user has the ALL privilege on SERVER, there is no Ranger audit event generated either. This is because currently we call analyzer.setMaskPrivChecks(null) when analyzing KillQueryStmt. Due to this the privilege request would be added to 'globalState_.maskedPrivilegeReqs' of the Analyzer. Therefore, later on when we call authorize() to authorize such masked privilege requests, no Ranger audit event would be produced because we call authzCtx.setRetainAudits(false) right before authorizing such masked privilege requests. We could deal with this case (the requesting user has the ALL privilege on SERVER) in a follow-up JIRA, probably together with the more general case. -- To view, visit http://gerrit.cloudera.org:8080/21930 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: If12d6e47b256b034ec444f17c7890aa3b40481c0 Gerrit-Change-Number: 21930 Gerrit-PatchSet: 48 Gerrit-Owner: Xuebin Su <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Gabor Kaszab <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Jason Fehr <[email protected]> Gerrit-Reviewer: Joe McDonnell <[email protected]> Gerrit-Reviewer: Michael Smith <[email protected]> Gerrit-Reviewer: Riza Suminto <[email protected]> Gerrit-Reviewer: Xuebin Su <[email protected]> Gerrit-Comment-Date: Tue, 15 Jul 2025 00:34:03 +0000 Gerrit-HasComments: Yes
