Fang-Yu Rao has uploaded this change for review. ( http://gerrit.cloudera.org:8080/15854
Change subject: IMPALA-9597: Eliminate redundant Ranger audits when a query involves column masking ...................................................................... IMPALA-9597: Eliminate redundant Ranger audits when a query involves column masking After IMPALA-9350, Impala is able to produce the corresponding Ranger audits when a query involves policies of column masking. However, redundant audit events could be produced due to the fact that the analysis of the TableRef containing a column involved in a column masking policy could be performed more than once for a query that has to be analyzed more than once. For example, a query consisting of a WithClause or a query that requires a rewrite operation followed by a re-analysis phase would result in RangerImpalaPlugin#evalDataMaskPolicies() being invoked multiple times, each producing an audit log entry for the same column. Moreover, for a query involving column masking policies, the corresponding audit log entries will still be generated even though there is an AuthorizationException thrown in the authorization phase. This patch fixes those two issues described above by adding a post-processing step after the analysis of a query to deduplicate the List of AuthzAuditEvent's for column masking policies. Specifically, instead of updating the List of AuthzAuditEvent's of the corresponding RangerBufferAuditHandler immediately after the deduplication, we clear this List first and add the deduplicated events back to the List only if there is no AuthorizationException. Testing: - Added two test cases in RangerAuditLogTest#testAuditsForColumnMasking() to make sure the issues above are resolved. Change-Id: I42d60130fba93d63fbc36949f2bf746b7ae2497d --- M fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java M fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/NoopAuthorizationFactory.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationContext.java M fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java 9 files changed, 151 insertions(+), 32 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/54/15854/1 -- To view, visit http://gerrit.cloudera.org:8080/15854 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I42d60130fba93d63fbc36949f2bf746b7ae2497d Gerrit-Change-Number: 15854 Gerrit-PatchSet: 1 Gerrit-Owner: Fang-Yu Rao <fangyu....@cloudera.com> Gerrit-Reviewer: Csaba Ringhofer <csringho...@cloudera.com> Gerrit-Reviewer: Fang-Yu Rao <fangyu....@cloudera.com> Gerrit-Reviewer: Quanlong Huang <huangquanl...@gmail.com>