[
https://issues.apache.org/jira/browse/IMPALA-14226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-14226:
---------------------------------
Description:
Currently no Ranger audit event is produced after the authorization of the KILL
QUERY statement implemented in IMPALA-12648.
There are 2 cases to consider.
- When the requesting user is granted the ALL privilege on SERVER. This case
is easier. For the KILL QUERY statement, during the authorization, we need to
call authzCtx.setRetainAudits(true) to make Impala produce Ranger's audit event.
- When the requesting user is the owner of the query to be killed. This
requires more work. We may call
{{ExecEnv::GetInstance()\->frontend()\->CallQueryCompleteHooks()}} as done in
[https://github.com/apache/impala/blob/master/be/src/service/client-request-state.cc]
when generating the query lineage. We will have to figure out a) how to
generate the respective AuthzAuditEvent, and b) how to instantiate a
RangerBufferAuditHandler to send the audit event to Ranger service via
{{flush()}}.
was:
Currently no Ranger audit event is produced after the authorization of the KILL
QUERY statement implemented in IMPALA-12648.
There are 2 cases to consider.
- When the requesting user is granted the ALL privilege on SERVER. This case
is easier. For the KILL QUERY statement, during the authorization, we need to
call authzCtx.setRetainAudits(true) to make Impala produce Ranger's audit event.
- When the requesting user is the owner of the query to be killed. This
requires more work. We may call
{{ExecEnv::GetInstance()->frontend()->CallQueryCompleteHooks()}} as done in
[https://github.com/apache/impala/blob/master/be/src/service/client-request-state.cc]
when generating the query lineage. We will have to figure out a) how to
generate the respective AuthzAuditEvent, and b) how to instantiate a
RangerBufferAuditHandler to send the audit event to Ranger service via
{{flush()}}.
> Create Ranger audit event for KILL QUERY statement
> --------------------------------------------------
>
> Key: IMPALA-14226
> URL: https://issues.apache.org/jira/browse/IMPALA-14226
> Project: IMPALA
> Issue Type: Bug
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Currently no Ranger audit event is produced after the authorization of the
> KILL QUERY statement implemented in IMPALA-12648.
> There are 2 cases to consider.
> - When the requesting user is granted the ALL privilege on SERVER. This case
> is easier. For the KILL QUERY statement, during the authorization, we need to
> call authzCtx.setRetainAudits(true) to make Impala produce Ranger's audit
> event.
> - When the requesting user is the owner of the query to be killed. This
> requires more work. We may call
> {{ExecEnv::GetInstance()\->frontend()\->CallQueryCompleteHooks()}} as done in
> [https://github.com/apache/impala/blob/master/be/src/service/client-request-state.cc]
> when generating the query lineage. We will have to figure out a) how to
> generate the respective AuthzAuditEvent, and b) how to instantiate a
> RangerBufferAuditHandler to send the audit event to Ranger service via
> {{flush()}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
