[Impala-ASF-CR] IMPALA-10913: Produce Ranger audit log for SHOW DATABASES

Tue, 27 Jan 2026 16:24:07 -0800 

Hello Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/23877

to look at the new patch set (#2).

Change subject: IMPALA-10913: Produce Ranger audit log for SHOW DATABASES
......................................................................

IMPALA-10913: Produce Ranger audit log for SHOW DATABASES

This patch makes Impala produce Ranger audit log for the SHOW DATABASES
and the SHOW DATABASES LIKE statements. Moreover, this patch enforces
the authorization check for the default database, meaning that the
default database will not be shown if the requesting user is not
authorized to view this database according to the Ranger policy
repository.

Note that this patch generates the same RangerAccessRequestImpl for the
SHOW DATABASES statement as Hive does when Ranger is the authorization
provider. Specifically, in
https://github.com/apache/ranger/blob/master/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java,
for the operation of SHOWDATABASES, the constructor of
RangerHiveResource does not populate any field in
RangerAccessResourceImpl. Moreover, when HiveAccessType.USE is passed to
the constructor of RangerHiveAccessRequest, under the covers
'accessType' in RangerAccessRequestImpl will be set to "_any" as shown
in RangerHiveAccessRequest#setHiveAccessType().

Testing:
 - Added test cases to make sure the Ranger audit event will be
   produced.
 - Added test cases to verify the database 'default' will not be shown
   if the requesting user is not allowed to discover the database based
   on the Ranger policy repository.

Change-Id: Idb3e54b152e953916d3d7d7ef27c880a8559ed26
---
M fe/src/main/java/org/apache/impala/analysis/ShowDbsStmt.java
M fe/src/main/java/org/apache/impala/authorization/Authorizable.java
M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java
A fe/src/main/java/org/apache/impala/authorization/AuthorizableNone.java
M 
fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java
M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java
M 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
M fe/src/main/java/org/apache/impala/service/Frontend.java
M 
fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
M tests/authorization/test_ranger.py
10 files changed, 122 insertions(+), 7 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/77/23877/2
--
To view, visit http://gerrit.cloudera.org:8080/23877
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Idb3e54b152e953916d3d7d7ef27c880a8559ed26
Gerrit-Change-Number: 23877
Gerrit-PatchSet: 2
Gerrit-Owner: Fang-Yu Rao <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>

Reply via email to