[
https://issues.apache.org/jira/browse/IMPALA-14991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18080783#comment-18080783
]
Fang-Yu Rao commented on IMPALA-14991:
--------------------------------------
cc: [~stigahuang] [~csringhofer] [~arawat]
> Consider calling RangerAccessRequestImpl#setAction() when creating a
> RangerAccessRequestImpl
> --------------------------------------------------------------------------------------------
>
> Key: IMPALA-14991
> URL: https://issues.apache.org/jira/browse/IMPALA-14991
> Project: IMPALA
> Issue Type: Task
> Components: Frontend
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> Currently when constructing a {{RangerAccessRequestImpl}} in
> [RangerAuthorizationChecker#authorizeResource()|https://github.com/apache/impala/blob/0802e29/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L87-L194],
> we do not explicitly set up the field of '{{{}action{}}}' by calling in
> [RangerAccessRequestImpl#setAction()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java#L266-L268].
> As a result, the field '{{{}action{}}}' would be null, when we pass the
> {{RangerAccessRequestImpl}} to the Ranger plug-in at
> [plugin_.isAccessAllowed(request,
> auditHandler)|https://github.com/apache/impala/blob/0802e29/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L698].
> The resulting {{AuthzAuditEvent}} would have had a null field of
> '{{{}action{}}}'. But due to RANGER-5594, the field of '{{{}action{}}}' in
> the corresponding {{AuthzAuditEvent}} becomes the same as the field
> '{{{}accessType{}}}' in the given input argument 'request' , which is
> non-null.
>
> On a related note, the field of '{{{}accessType{}}}' in the resulting
> {{AuthzAuditEvent}} would have been null too due to the field of
> '{{{}action{}}}' in the given input argument 'request' being null (again due
> to RANGER-5594), but since at
> [newAuditEvent.setAccessType(privilege.name().toLowerCase())|https://github.com/apache/impala/blame/0802e29/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L663],
> we explicitly set the field '{{{}accessType{}}}', this field in the
> resulting {{AuthzAuditEvent}} becomes non-null. As a result, both fields in
> the resulting {{AuthzAuditEvent}} have the same value.
>
> In a lot of statements, an {{AuthzAuditEvent}} produced by
> [RangerHiveAuthorizer.java|https://github.com/apache/ranger/blob/3fd46db/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java]
> has the same value for the fields of '{{{}action{}}}' and
> '{{{}accessType{}}}' (or the field of '{{{}access{}}}') so the issue/fact in
> Impala as described above seems to be fine.
>
> But for some statements, e.g., "{{{}GRANT ROLE{}}}", one field is
> '{{{}GRANT_ROLE{}}}', and the other is '{{{}alter{}}}' in the Ranger audit
> event produced for Apache Hive.
> {code:json}
> {
> "repoType": 3,
> "repo": "cm_hive",
> "reqUser": "hive",
> "evtTime": "2026-05-12 23:52:21.736",
> "access": "GRANT_ROLE",
> "resource": null,
> "resType": "@null",
> "action": "alter",
> "result": 0,
> "agent": "hiveServer2",
> "policy": -1,
> "reason": null,
> "enforcer": "ranger-acl",
> "sess": null,
> "cliType": null,
> "cliIP": "10.140.225.8",
> "reqData": "grant role_01 to USER livy ",
> "agentHost": "ccycloud-1.cdpd102205d01.root.comops.site",
> "logType": "RangerAudit",
> "id": "2053b6cd-5a4e-4948-a88b-93401b63ad72-0",
> "seq_num": 1,
> "event_count": 1,
> "event_dur_ms": 1,
> "tags": [],
> "datasets": null,
> "projects": null,
> "datasetIds": null,
> "additional_info":
> "{\"serviceType\":\"hive\",\"forwarded-ip-addresses\":\"[]\",\"remote-ip-address\":\"10.140.225.8\"}",
> "cluster_name": "Cluster 1",
> "zone_name": null,
> "policy_version": null
> }
> {code}
>
> Of course Impala could have its own way of producing the Ranger audit events,
> but if the issue of RANGER-5594 is really getting fixed, we may have to
> populate the field of '{{{}action{}}}' explicitly on the Impala side if we
> don't want it to be null.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
