Quanlong Huang has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/23877 )
Change subject: IMPALA-10913: Produce Ranger audit log for SHOW DATABASES ...................................................................... IMPALA-10913: Produce Ranger audit log for SHOW DATABASES This patch makes Impala produce Ranger audit log for the SHOW DATABASES and the SHOW DATABASES LIKE statements. Moreover, this patch enforces the authorization check for the default database, meaning that the default database will not be shown if the requesting user is not authorized to view this database according to the Ranger policy repository. To support this new type of authorization check, we added the class AuthorizableDbList to represent the object to be accessed by those two statements. Note that this patch generates the same RangerAccessRequestImpl for the SHOW DATABASES statement as Hive does when Ranger is the authorization provider. Specifically, in https://github.com/apache/ranger/blob/668b80b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java#L806-L811 for the operation of SHOWDATABASES, the constructor of RangerHiveResource does not populate any field in RangerAccessResourceImpl with a non-null value. Moreover, when HiveAccessType.USE is passed to the constructor of RangerHiveAccessRequest, under the covers 'accessType' in RangerAccessRequestImpl will be set to "_any" as shown in RangerHiveAccessRequest#setHiveAccessType(). Testing: - Added test cases to make sure the Ranger audit event will be produced. - Added test cases to verify the database 'default' will not be shown if the requesting user is not allowed to discover the database based on the Ranger policy repository. Change-Id: Idb3e54b152e953916d3d7d7ef27c880a8559ed26 Reviewed-on: http://gerrit.cloudera.org:8080/23877 Reviewed-by: Quanlong Huang <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- M fe/src/main/java/org/apache/impala/analysis/ShowDbsStmt.java M fe/src/main/java/org/apache/impala/authorization/Authorizable.java A fe/src/main/java/org/apache/impala/authorization/AuthorizableDbList.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/service/Frontend.java M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java M tests/authorization/test_ranger.py 10 files changed, 123 insertions(+), 7 deletions(-) Approvals: Quanlong Huang: Looks good to me, approved Impala Public Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/23877 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Idb3e54b152e953916d3d7d7ef27c880a8559ed26 Gerrit-Change-Number: 23877 Gerrit-PatchSet: 4 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]>
