You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2022/08/11 00:32:00 UTC

[jira] [Created] (IMPALA-11494) Ranger audit log entries generated for authorized query against non-existing tables

Fang-Yu Rao created IMPALA-11494:
------------------------------------

             Summary: Ranger audit log entries generated for authorized query against non-existing tables
                 Key: IMPALA-11494
                 URL: https://issues.apache.org/jira/browse/IMPALA-11494
             Project: IMPALA
          Issue Type: Bug
          Components: Frontend
    Affects Versions: Impala 4.1.0, Impala 4.0.0
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


We found that Impala will generate (confusing) Ranger audit log entries for a query against non-existing tables when the query is authorized (i.e., no {{AuthorizationException}} thrown).

Specifically, to reproduce the issue, it suffices to perform the following steps.
 # As the user '{{{}admin{}}}', execute in Impala shell "{{{}GRANT ALL ON DATABASE functional to user <user_name>{}}}".
 # Set a break point at [auditHandler.flush()|https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L197] and attach a debugger to the Impala daemon.
 # As the user '{{{}<user_name>{}}}', execute in Impala shell "{{{}SELECT * FROM functional.test_tbl_01{}}}", where '{{{}functional.test_tbl_01{}}}' is a non-existing table.
 # Use the debugger to inspect the produced {{{}AuthzAuditEvent{}}}'s. We will find out that there are 2 audit log entries generated like the following. The first is for the table '{{{}functional/test_tbl_01{}}}' and the second is for the table '{{{}default/functional{}}}'. This could be seen in the field of '{{{}resourcePath{}}}' in an {{{}AuthzAuditEvent{}}}.
{code:java}
0 = {AuthzAuditEvent@6887} "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed Aug 10 17:10:29 PDT 2022;accessType=select;resourcePath=functional/test_tbl_01;resourceType=@table;action=select;accessResult=1;agentId=impala;policyId=12;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select * from functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=af92b724-1038-4a2c-9295-2bf6e7fbebe8-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=1;additionalInfo=null}"
1 = {AuthzAuditEvent@6888} "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed Aug 10 17:10:29 PDT 2022;accessType=select;resourcePath=default/functional;resourceType=@table;action=select;accessResult=0;agentId=impala;policyId=-1;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select * from functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=c090e009-d1a5-47ff-8b1e-87a9dfa64824-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=null;additionalInfo=null}"
{code}

We should not generate such confusing audit log entries for an authorized query against non-existing tables.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)