[Impala-ASF-CR] IMPALA-8400: Implement Ranger audit event handler

Tue, 14 May 2019 15:44:34 -0700 

Austin Nobis has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/13309 )

Change subject: IMPALA-8400: Implement Ranger audit event handler
......................................................................


Patch Set 4:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/13309/4/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
File fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java:

http://gerrit.cloudera.org:8080/#/c/13309/4/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java@435
PS4, Line 435: try {
             :       authzCtx = authzChecker.preAuthorize(analysisResult_, 
catalog_);
             :       authzChecker.authorize(authzCtx, analysisResult_, 
catalog_);
             :     } catch (AuthorizationException e) {
             :       authException = e;
             :     } finally {
             :       if (authzCtx != null) {
             :         authzChecker.postAuthorize(authzCtx, analysisResult_, 
catalog_);
             :       }
             :     }
Had a discussion with Fredy because I didn't understand the purpose of having 
`preAuthorize`, `authorize`, and then `postAuthorize` called sequentially.

The `BaseAuthorizationChecker` class has 2 `authorize` methods with different 
signatures. The `abstract` one is the one that is being `override`'d. This is 
why these 3 methods can't be merged into a single `authorize`.

Fredy and I came to an agreement that we should rename the `abstract authorize` 
method to `authorizeResource` as it is an authorization that occurs per 
resources, whereas the `authorize` being called here is the authorization for 
the entire SQL statement.

The logic flow is as follows:

RangerAuthorizationChecker#preAuthorize
BaseAuthorizationChecker#authorize
  foreach resource: RangerAuthorizationChecker#authorize (authorizeResource)
RangerAuthorizationChecker#postAuthorize

I still think the `preAuthorize`, `authorize`, `postAuthorize` sequence is a 
little strange as the methods execute sequentially.



--
To view, visit http://gerrit.cloudera.org:8080/13309
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ife93c3e708875ef5fc0117153ad8ee225a88518b
Gerrit-Change-Number: 13309
Gerrit-PatchSet: 4
Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <ano...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <t...@apache.org>
Gerrit-Comment-Date: Tue, 14 May 2019 22:44:14 +0000
Gerrit-HasComments: Yes

Reply via email to