You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by tm...@apache.org on 2019/06/19 16:57:37 UTC
[impala] 02/05: IMPALA-8658: Populate missing Ranger audit fields
This is an automated email from the ASF dual-hosted git repository.
tmarshall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 2b76da027dfd4bda9992122ef92ed12108dfc9df
Author: Fredy Wijaya <fw...@cloudera.com>
AuthorDate: Wed Jun 12 16:05:25 2019 -0500
IMPALA-8658: Populate missing Ranger audit fields
This patch adds missing Ranger audit fields, such as:
- Client IP
- Cluster name
This patch also updates the access type to be in upper case to be
consistent with Hive Ranger audit. The SQL statement logged will now
return a redacted statement when the redacted flag is set.
Testing:
- Updated the tests in RangerAuditLogTest
- Ran all FE tests
- Tested the changes against Solr cluster
Change-Id: I167bc35411ad9b4164c292077ff082671967cff8
Reviewed-on: http://gerrit.cloudera.org:8080/13601
Reviewed-by: Todd Lipcon <to...@apache.org>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
be/src/service/client-request-state.cc | 4 ++
common/thrift/CatalogService.thrift | 6 ++
.../apache/impala/analysis/AnalysisContext.java | 6 +-
.../impala/analysis/GrantRevokePrivStmt.java | 1 -
.../impala/authorization/AuthorizationChecker.java | 5 +-
.../impala/authorization/AuthorizationManager.java | 26 ++++----
.../authorization/BaseAuthorizationChecker.java | 2 +-
.../authorization/NoopAuthorizationFactory.java | 22 +++----
.../ranger/RangerAuthorizationChecker.java | 25 +++++---
.../ranger/RangerAuthorizationContext.java | 8 +++
.../ranger/RangerBufferAuditHandler.java | 31 +++++++---
.../ranger/RangerCatalogdAuthorizationManager.java | 70 ++++++++++++----------
.../ranger/RangerImpaladAuthorizationManager.java | 25 ++++----
.../sentry/SentryAuthorizationChecker.java | 3 +-
.../sentry/SentryCatalogdAuthorizationManager.java | 31 +++++-----
.../sentry/SentryImpaladAuthorizationManager.java | 22 +++----
.../apache/impala/service/CatalogOpExecutor.java | 30 +++++-----
.../java/org/apache/impala/service/Frontend.java | 7 ++-
.../authorization/AuthorizationTestBase.java | 8 +--
.../authorization/ranger/RangerAuditLogTest.java | 5 +-
.../org/apache/impala/common/FrontendTestBase.java | 3 +-
fe/src/test/resources/ranger-hive-audit.xml | 7 +++
22 files changed, 213 insertions(+), 134 deletions(-)
diff --git a/be/src/service/client-request-state.cc b/be/src/service/client-request-state.cc
index 6b2ab39..010157b 100644
--- a/be/src/service/client-request-state.cc
+++ b/be/src/service/client-request-state.cc
@@ -1070,6 +1070,10 @@ Status ClientRequestState::UpdateCatalog() {
catalog_update.__set_sync_ddl(exec_request().query_options.sync_ddl);
catalog_update.__set_header(TCatalogServiceRequestHeader());
catalog_update.header.__set_requesting_user(effective_user());
+ catalog_update.header.__set_client_ip(session()->network_address.hostname);
+ catalog_update.header.__set_redacted_sql_stmt(
+ query_ctx_.client_request.__isset.redacted_stmt ?
+ query_ctx_.client_request.redacted_stmt : query_ctx_.client_request.stmt);
if (!GetCoordinator()->dml_exec_state()->PrepareCatalogUpdate(&catalog_update)) {
VLOG_QUERY << "No partitions altered, not updating metastore (query id: "
<< PrintId(query_id()) << ")";
diff --git a/common/thrift/CatalogService.thrift b/common/thrift/CatalogService.thrift
index f76e2c3..ccabdc8 100644
--- a/common/thrift/CatalogService.thrift
+++ b/common/thrift/CatalogService.thrift
@@ -47,6 +47,12 @@ const string CATALOG_TOPIC_V2_PREFIX = "2:";
struct TCatalogServiceRequestHeader {
// The effective user who submitted this request.
1: optional string requesting_user
+
+ // The redacted SQL statement to be logged.
+ 2: optional string redacted_sql_stmt
+
+ // The client IP address.
+ 3: optional string client_ip
}
// Returns details on the result of an operation that updates the catalog. Information
diff --git a/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java b/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
index 47ee010..1c1e059 100644
--- a/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
+++ b/fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
@@ -36,6 +36,7 @@ import org.apache.impala.common.ImpalaException;
import org.apache.impala.common.RuntimeEnv;
import org.apache.impala.rewrite.ExprRewriter;
import org.apache.impala.thrift.TAccessEvent;
+import org.apache.impala.thrift.TClientRequest;
import org.apache.impala.thrift.TLineageGraph;
import org.apache.impala.thrift.TQueryCtx;
import org.apache.impala.thrift.TQueryOptions;
@@ -420,8 +421,11 @@ public class AnalysisContext {
AuthorizationException authException = null;
AuthorizationContext authzCtx = null;
try {
+ TClientRequest clientRequest = queryCtx_.getClient_request();
authzCtx = authzChecker.createAuthorizationContext(true,
- queryCtx_.client_request.stmt);
+ clientRequest.isSetRedacted_stmt() ?
+ clientRequest.getRedacted_stmt() : clientRequest.getStmt(),
+ queryCtx_.getSession());
authzChecker.authorize(authzCtx, analysisResult_, catalog_);
} catch (AuthorizationException e) {
authException = e;
diff --git a/fe/src/main/java/org/apache/impala/analysis/GrantRevokePrivStmt.java b/fe/src/main/java/org/apache/impala/analysis/GrantRevokePrivStmt.java
index 0fe898e..6372fe7 100644
--- a/fe/src/main/java/org/apache/impala/analysis/GrantRevokePrivStmt.java
+++ b/fe/src/main/java/org/apache/impala/analysis/GrantRevokePrivStmt.java
@@ -19,7 +19,6 @@ package org.apache.impala.analysis;
import java.util.List;
-import org.apache.impala.catalog.Role;
import org.apache.impala.common.AnalysisException;
import org.apache.impala.thrift.TGrantRevokePrivParams;
import org.apache.impala.thrift.TPrincipalType;
diff --git a/fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java b/fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java
index 2b8525c..e582d2a 100644
--- a/fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java
+++ b/fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java
@@ -20,6 +20,7 @@ package org.apache.impala.authorization;
import org.apache.impala.analysis.AnalysisContext.AnalysisResult;
import org.apache.impala.catalog.FeCatalog;
import org.apache.impala.common.InternalException;
+import org.apache.impala.thrift.TSessionState;
import java.util.Set;
@@ -40,8 +41,10 @@ public interface AuthorizationChecker {
*
* @param doAudits a flag whether or not to do the audits
* @param sqlStmt the SQL statement to be logged for auditing
+ * @param sessionState the client session state
*/
- AuthorizationContext createAuthorizationContext(boolean doAudits, String sqlStmt);
+ AuthorizationContext createAuthorizationContext(boolean doAudits, String sqlStmt,
+ TSessionState sessionState) throws InternalException;
/**
* Authorize an analyzed statement.
diff --git a/fe/src/main/java/org/apache/impala/authorization/AuthorizationManager.java b/fe/src/main/java/org/apache/impala/authorization/AuthorizationManager.java
index 529114a..d8d7b0f 100644
--- a/fe/src/main/java/org/apache/impala/authorization/AuthorizationManager.java
+++ b/fe/src/main/java/org/apache/impala/authorization/AuthorizationManager.java
@@ -18,8 +18,8 @@
package org.apache.impala.authorization;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
-import org.apache.impala.catalog.CatalogException;
import org.apache.impala.common.ImpalaException;
+import org.apache.impala.thrift.TCatalogServiceRequestHeader;
import org.apache.impala.thrift.TCreateDropRoleParams;
import org.apache.impala.thrift.TDdlExecResponse;
import org.apache.impala.thrift.TGrantRevokePrivParams;
@@ -68,38 +68,38 @@ public interface AuthorizationManager {
/**
* Grant a privilege to a role.
*/
- void grantPrivilegeToRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException;
+ void grantPrivilegeToRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException;
/**
* Revokes a privilege from a role.
*/
- void revokePrivilegeFromRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException;
+ void revokePrivilegeFromRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException;
/**
* Grants a privilege to a user.
*/
- void grantPrivilegeToUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException;
+ void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException;
/**
* Revokes a privilege from a user.
*/
- void revokePrivilegeFromUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException;
+ void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException;
/**
* Grants a privilege to a group.
*/
- void grantPrivilegeToGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException;
+ void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException;
/**
* Revokes a privilege from a group.
*/
- void revokePrivilegeFromGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException;
+ void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException;
/**
* Gets all privileges granted to the given principal.
diff --git a/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java b/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
index 83975c6..255a184 100644
--- a/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
+++ b/fe/src/main/java/org/apache/impala/authorization/BaseAuthorizationChecker.java
@@ -64,7 +64,7 @@ public abstract class BaseAuthorizationChecker implements AuthorizationChecker {
// "show tables", "describe" to filter out unauthorized database, table, or column
// names.
return hasAccess(createAuthorizationContext(false /*no audit log*/,
- null /*no SQL statement*/), user, request);
+ null /*no SQL statement*/, null /*no session state*/), user, request);
}
private boolean hasAccess(AuthorizationContext authzCtx, User user,
diff --git a/fe/src/main/java/org/apache/impala/authorization/NoopAuthorizationFactory.java b/fe/src/main/java/org/apache/impala/authorization/NoopAuthorizationFactory.java
index 1be26e7..2a371ea 100644
--- a/fe/src/main/java/org/apache/impala/authorization/NoopAuthorizationFactory.java
+++ b/fe/src/main/java/org/apache/impala/authorization/NoopAuthorizationFactory.java
@@ -25,11 +25,13 @@ import org.apache.impala.common.ImpalaException;
import org.apache.impala.common.InternalException;
import org.apache.impala.service.BackendConfig;
import org.apache.impala.service.FeCatalogManager;
+import org.apache.impala.thrift.TCatalogServiceRequestHeader;
import org.apache.impala.thrift.TCreateDropRoleParams;
import org.apache.impala.thrift.TDdlExecResponse;
import org.apache.impala.thrift.TGrantRevokePrivParams;
import org.apache.impala.thrift.TGrantRevokeRoleParams;
import org.apache.impala.thrift.TResultSet;
+import org.apache.impala.thrift.TSessionState;
import org.apache.impala.thrift.TShowGrantPrincipalParams;
import org.apache.impala.thrift.TShowRolesParams;
import org.apache.impala.thrift.TShowRolesResult;
@@ -107,42 +109,42 @@ public class NoopAuthorizationFactory implements AuthorizationFactory {
}
@Override
- public void grantPrivilegeToRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format("%s is not supported",
ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromRole(User requestingUser,
+ public void revokePrivilegeFromRole(TCatalogServiceRequestHeader header,
TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format("%s is not supported",
ClassUtil.getMethodName()));
}
@Override
- public void grantPrivilegeToUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format("%s is not supported",
ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromUser(User requestingUser,
+ public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format("%s is not supported",
ClassUtil.getMethodName()));
}
@Override
- public void grantPrivilegeToGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format("%s is not supported",
ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromGroup(User requestingUser,
+ public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format("%s is not supported",
ClassUtil.getMethodName()));
@@ -205,7 +207,7 @@ public class NoopAuthorizationFactory implements AuthorizationFactory {
@Override
public AuthorizationContext createAuthorizationContext(boolean doAudits,
- String sqlStmt) {
+ String sqlStmt, TSessionState sessionState) {
return new AuthorizationContext();
}
};
diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
index 3a553cc..13e8261 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
@@ -34,6 +34,7 @@ import org.apache.impala.authorization.PrivilegeRequest;
import org.apache.impala.authorization.User;
import org.apache.impala.catalog.FeCatalog;
import org.apache.impala.common.InternalException;
+import org.apache.impala.thrift.TSessionState;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
@@ -207,12 +208,14 @@ public class RangerAuthorizationChecker extends BaseAuthorizationChecker {
@Override
public AuthorizationContext createAuthorizationContext(boolean doAudits,
- String sqlStmt) {
- RangerAuthorizationContext authzCtx = new RangerAuthorizationContext();
+ String sqlStmt, TSessionState sessionState) throws InternalException {
+ RangerAuthorizationContext authzCtx = new RangerAuthorizationContext(sessionState);
if (doAudits) {
// Any statement that goes through {@link authorize} will need to have audit logs.
if (sqlStmt != null) {
- authzCtx.setAuditHandler(new RangerBufferAuditHandler(sqlStmt));
+ authzCtx.setAuditHandler(new RangerBufferAuditHandler(
+ sqlStmt, plugin_.getClusterName(),
+ sessionState.getNetwork_address().getHostname()));
} else {
authzCtx.setAuditHandler(new RangerBufferAuditHandler());
}
@@ -225,21 +228,24 @@ public class RangerAuthorizationChecker extends BaseAuthorizationChecker {
AnalysisResult analysisResult, FeCatalog catalog, List<PrivilegeRequest> requests)
throws AuthorizationException, InternalException {
RangerAuthorizationContext originalCtx = (RangerAuthorizationContext) authzCtx;
+ RangerBufferAuditHandler originalAuditHandler = originalCtx.getAuditHandler();
// case 1: table (select) OK --> add the table event
// case 2: table (non-select) ERROR --> add the table event
// case 3: table (select) ERROR, columns (select) OK -> only add the column events
// case 4: table (select) ERROR, columns (select) ERROR --> only add the first column
// event
- RangerAuthorizationContext tmpCtx = new RangerAuthorizationContext();
+ RangerAuthorizationContext tmpCtx = new RangerAuthorizationContext(
+ originalCtx.getSessionState());
tmpCtx.setAuditHandler(new RangerBufferAuditHandler(
- originalCtx.getAuditHandler().getSqlStmt()));
+ originalAuditHandler.getSqlStmt(), originalAuditHandler.getClusterName(),
+ originalAuditHandler.getClientIp()));
try {
super.authorizeTableAccess(tmpCtx, analysisResult, catalog, requests);
} catch (AuthorizationException e) {
tmpCtx.getAuditHandler().getAuthzEvents().stream()
.filter(evt ->
// case 2: get the first failing non-select table
- (!"select".equals(evt.getAccessType()) &&
+ (!"select".equalsIgnoreCase(evt.getAccessType()) &&
"@table".equals(evt.getResourceType())) ||
// case 4: get the first failing column
("@column".equals(evt.getResourceType()) && evt.getAccessResult() == 0))
@@ -337,8 +343,13 @@ public class RangerAuthorizationChecker extends BaseAuthorizationChecker {
} else {
accessType = privilege.name().toLowerCase();
}
- RangerAccessRequest request = new RangerAccessRequestImpl(resource,
+ RangerAccessRequestImpl request = new RangerAccessRequestImpl(resource,
accessType, user.getShortName(), getUserGroups(user));
+ request.setClusterName(plugin_.getClusterName());
+ if (authzCtx.getSessionState() != null) {
+ request.setClientIPAddress(
+ authzCtx.getSessionState().getNetwork_address().getHostname());
+ }
RangerAccessResult result = plugin_.isAccessAllowed(request,
authzCtx.getAuditHandler());
return result != null && result.getIsAllowed();
diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationContext.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationContext.java
index 4b69ce9..f4ad66a 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationContext.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationContext.java
@@ -19,6 +19,7 @@ package org.apache.impala.authorization.ranger;
import com.google.common.base.Preconditions;
import org.apache.impala.authorization.AuthorizationContext;
+import org.apache.impala.thrift.TSessionState;
import javax.annotation.Nullable;
@@ -26,12 +27,19 @@ import javax.annotation.Nullable;
* Ranger specific {@link AuthorizationContext}.
*/
public class RangerAuthorizationContext extends AuthorizationContext {
+ private final TSessionState sessionState_;
// Audit handler can be null meaning we don't want to do an audit log.
private @Nullable RangerBufferAuditHandler auditHandler_;
+ public RangerAuthorizationContext(TSessionState sessionState) {
+ sessionState_ = sessionState;
+ }
+
public void setAuditHandler(RangerBufferAuditHandler auditHandler) {
auditHandler_ = Preconditions.checkNotNull(auditHandler);
}
public RangerBufferAuditHandler getAuditHandler() { return auditHandler_; }
+
+ public TSessionState getSessionState() { return sessionState_; }
}
diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerBufferAuditHandler.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerBufferAuditHandler.java
index 8fe0a96..4b192c5 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerBufferAuditHandler.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerBufferAuditHandler.java
@@ -17,12 +17,15 @@
package org.apache.impala.authorization.ranger;
+import com.google.common.base.Preconditions;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.util.ArrayList;
import java.util.Collection;
@@ -39,23 +42,29 @@ import java.util.Optional;
* multiple threads.
*/
public class RangerBufferAuditHandler implements RangerAccessResultProcessor {
+ private static final Logger LOG = LoggerFactory.getLogger(
+ RangerBufferAuditHandler.class);
private final RangerDefaultAuditHandler auditHandler_ = new RangerDefaultAuditHandler();
private final List<AuthzAuditEvent> auditEvents_ = new ArrayList<>();
private final String sqlStmt_; // The SQL statement to be logged
+ private final String clusterName_;
+ private final String clientIp_;
public RangerBufferAuditHandler() {
// This can be empty but should not be null to avoid NPE. See RANGER-2463.
- this("");
+ this("", "", "");
}
- public RangerBufferAuditHandler(String sqlStmt) {
- sqlStmt_= sqlStmt;
+ public RangerBufferAuditHandler(String sqlStmt, String clusterName, String clientIp) {
+ sqlStmt_ = Preconditions.checkNotNull(sqlStmt);
+ clusterName_ = Preconditions.checkNotNull(clusterName);
+ clientIp_ = Preconditions.checkNotNull(clientIp);
}
public static class AutoFlush extends RangerBufferAuditHandler
implements AutoCloseable {
- public AutoFlush(String sqlStmt) {
- super(sqlStmt);
+ public AutoFlush(String sqlStmt, String clusterName, String clientIp) {
+ super(sqlStmt, clusterName, clientIp);
}
@Override
@@ -66,12 +75,16 @@ public class RangerBufferAuditHandler implements RangerAccessResultProcessor {
public String getSqlStmt() { return sqlStmt_; }
+ public String getClusterName() { return clusterName_; }
+
+ public String getClientIp() { return clientIp_; }
+
/**
* Creates an instance of {@link RangerBufferAuditHandler} that will do an auto-flush.
* Use it with try-resource.
*/
- public static AutoFlush autoFlush() {
- return new AutoFlush("");
+ public static AutoFlush autoFlush(String sqlStmt, String clusterName, String clientIp) {
+ return new AutoFlush(sqlStmt, clusterName, clientIp);
}
@Override
@@ -105,8 +118,10 @@ public class RangerBufferAuditHandler implements RangerAccessResultProcessor {
String resourceType = resource != null ? resource.getLeafName() : null;
AuthzAuditEvent auditEvent = auditHandler_.getAuthzEvents(result);
- auditEvent.setAccessType(request.getAccessType());
+ auditEvent.setAccessType(request.getAccessType().toUpperCase());
auditEvent.setRequestData(sqlStmt_);
+ auditEvent.setClientIP(clientIp_);
+ auditEvent.setClusterName(clusterName_);
auditEvent.setResourcePath(resource != null ? resource.getAsString() : null);
if (resourceType != null) {
auditEvent.setResourceType("@" + resourceType);
diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
index 0b1527f..f6c7e29 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java
@@ -28,6 +28,7 @@ import org.apache.impala.catalog.CatalogServiceCatalog;
import org.apache.impala.common.ImpalaException;
import org.apache.impala.common.InternalException;
import org.apache.impala.common.UnsupportedFeatureException;
+import org.apache.impala.thrift.TCatalogServiceRequestHeader;
import org.apache.impala.thrift.TCreateDropRoleParams;
import org.apache.impala.thrift.TDdlExecResponse;
import org.apache.impala.thrift.TGrantRevokePrivParams;
@@ -105,72 +106,76 @@ public class RangerCatalogdAuthorizationManager implements AuthorizationManager
}
@Override
- public void grantPrivilegeToRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedFeatureException(
"GRANT <privilege> TO ROLE is not supported by Ranger.");
}
@Override
- public void revokePrivilegeFromRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedFeatureException(
"REVOKE <privilege> FROM ROLE is not supported by Ranger.");
}
@Override
- public void grantPrivilegeToUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
List<GrantRevokeRequest> requests = createGrantRevokeRequests(
- requestingUser.getName(), true, params.getPrincipal_name(),
- Collections.emptyList(), plugin_.get().getClusterName(), params.getPrivileges());
+ header.getRequesting_user(), true, params.getPrincipal_name(),
+ Collections.emptyList(), plugin_.get().getClusterName(),
+ header.getClient_ip(), params.getPrivileges());
- grantPrivilege(requests);
+ grantPrivilege(requests, header.getRedacted_sql_stmt(), header.getClient_ip());
refreshAuthorization(response);
}
@Override
- public void revokePrivilegeFromUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
List<GrantRevokeRequest> requests = createGrantRevokeRequests(
- requestingUser.getName(), false, params.getPrincipal_name(),
- Collections.emptyList(), plugin_.get().getClusterName(), params.getPrivileges());
+ header.getRequesting_user(), false, params.getPrincipal_name(),
+ Collections.emptyList(), plugin_.get().getClusterName(),
+ header.getClient_ip(), params.getPrivileges());
- revokePrivilege(requests);
+ revokePrivilege(requests, header.getRedacted_sql_stmt(), header.getClient_ip());
refreshAuthorization(response);
}
@Override
- public void grantPrivilegeToGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
List<GrantRevokeRequest> requests = createGrantRevokeRequests(
- requestingUser.getName(), true, null,
+ header.getRequesting_user(), true, null,
Collections.singletonList(params.getPrincipal_name()),
- plugin_.get().getClusterName(), params.getPrivileges());
+ plugin_.get().getClusterName(), header.getClient_ip(), params.getPrivileges());
- grantPrivilege(requests);
+ grantPrivilege(requests, header.getRedacted_sql_stmt(), header.getClient_ip());
refreshAuthorization(response);
}
@Override
- public void revokePrivilegeFromGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
List<GrantRevokeRequest> requests = createGrantRevokeRequests(
- requestingUser.getName(), false, null,
+ header.getRequesting_user(), false, null,
Collections.singletonList(params.getPrincipal_name()),
- plugin_.get().getClusterName(), params.getPrivileges());
+ plugin_.get().getClusterName(), header.getClient_ip(), params.getPrivileges());
- revokePrivilege(requests);
+ revokePrivilege(requests, header.getRedacted_sql_stmt(), header.getClient_ip());
// Update the authorization refresh marker so that the Impalads can refresh their
// Ranger caches.
refreshAuthorization(response);
}
@VisibleForTesting
- public void grantPrivilege(List<GrantRevokeRequest> requests) throws ImpalaException {
+ public void grantPrivilege(List<GrantRevokeRequest> requests, String sqlStmt,
+ String clientIp) throws ImpalaException {
try {
for (GrantRevokeRequest request : requests) {
- try (AutoFlush auditHandler = RangerBufferAuditHandler.autoFlush()) {
+ try (AutoFlush auditHandler = RangerBufferAuditHandler.autoFlush(sqlStmt,
+ plugin_.get().getClusterName(), clientIp)) {
plugin_.get().grantAccess(request, auditHandler);
}
}
@@ -182,10 +187,12 @@ public class RangerCatalogdAuthorizationManager implements AuthorizationManager
}
@VisibleForTesting
- public void revokePrivilege(List<GrantRevokeRequest> requests) throws ImpalaException {
+ public void revokePrivilege(List<GrantRevokeRequest> requests, String sqlStmt,
+ String clientIp) throws ImpalaException {
try {
for (GrantRevokeRequest request : requests) {
- try (AutoFlush auditHandler = RangerBufferAuditHandler.autoFlush()) {
+ try (AutoFlush auditHandler = RangerBufferAuditHandler.autoFlush(sqlStmt,
+ plugin_.get().getClusterName(), clientIp)) {
plugin_.get().revokeAccess(request, auditHandler);
}
}
@@ -237,13 +244,13 @@ public class RangerCatalogdAuthorizationManager implements AuthorizationManager
public static List<GrantRevokeRequest> createGrantRevokeRequests(String grantor,
boolean isGrant, String user, List<String> groups, String clusterName,
- List<TPrivilege> privileges) {
+ String clientIp, List<TPrivilege> privileges) {
List<GrantRevokeRequest> requests = new ArrayList<>();
for (TPrivilege p: privileges) {
Function<Map<String, String>, GrantRevokeRequest> createRequest = (resource) ->
createGrantRevokeRequest(grantor, user, groups, clusterName, p.has_grant_opt,
- isGrant, p.privilege_level, resource);
+ isGrant, p.privilege_level, resource, clientIp);
// Ranger Impala service definition defines 3 resources:
// [DB -> Table -> Column]
@@ -273,7 +280,7 @@ public class RangerCatalogdAuthorizationManager implements AuthorizationManager
private static GrantRevokeRequest createGrantRevokeRequest(String grantor, String user,
List<String> groups, String clusterName, boolean withGrantOpt, boolean isGrant,
- TPrivilegeLevel level, Map<String, String> resource) {
+ TPrivilegeLevel level, Map<String, String> resource, String clientIp) {
GrantRevokeRequest request = new GrantRevokeRequest();
request.setGrantor(grantor);
if (user != null) request.getUsers().add(user);
@@ -283,6 +290,7 @@ public class RangerCatalogdAuthorizationManager implements AuthorizationManager
request.setReplaceExistingPermissions(Boolean.FALSE);
request.setClusterName(clusterName);
request.setResource(resource);
+ request.setClientIPAddress(clientIp);
// For revoke grant option, omit the privilege
if (!(!isGrant && withGrantOpt)) {
diff --git a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
index a4ea9df..81c8643 100644
--- a/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
+++ b/fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java
@@ -26,6 +26,7 @@ import org.apache.impala.authorization.User;
import org.apache.impala.catalog.Type;
import org.apache.impala.common.ImpalaException;
import org.apache.impala.common.UnsupportedFeatureException;
+import org.apache.impala.thrift.TCatalogServiceRequestHeader;
import org.apache.impala.thrift.TColumn;
import org.apache.impala.thrift.TCreateDropRoleParams;
import org.apache.impala.thrift.TDdlExecResponse;
@@ -122,43 +123,43 @@ public class RangerImpaladAuthorizationManager implements AuthorizationManager {
}
@Override
- public void grantPrivilegeToRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void grantPrivilegeToUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void grantPrivilegeToGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
diff --git a/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java b/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java
index 82cd9ab..46a393f 100644
--- a/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java
+++ b/fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java
@@ -29,6 +29,7 @@ import org.apache.impala.authorization.PrivilegeRequest;
import org.apache.impala.authorization.User;
import org.apache.impala.authorization.AuthorizationPolicy;
import org.apache.impala.common.InternalException;
+import org.apache.impala.thrift.TSessionState;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
@@ -88,7 +89,7 @@ public class SentryAuthorizationChecker extends BaseAuthorizationChecker {
@Override
public AuthorizationContext createAuthorizationContext(boolean doAudits,
- String sqlStmt) {
+ String sqlStmt, TSessionState sessionState) {
return new AuthorizationContext();
}
diff --git a/fe/src/main/java/org/apache/impala/authorization/sentry/SentryCatalogdAuthorizationManager.java b/fe/src/main/java/org/apache/impala/authorization/sentry/SentryCatalogdAuthorizationManager.java
index a0a4062..b3dfb23 100644
--- a/fe/src/main/java/org/apache/impala/authorization/sentry/SentryCatalogdAuthorizationManager.java
+++ b/fe/src/main/java/org/apache/impala/authorization/sentry/SentryCatalogdAuthorizationManager.java
@@ -35,6 +35,7 @@ import org.apache.impala.common.InternalException;
import org.apache.impala.common.Reference;
import org.apache.impala.common.UnsupportedFeatureException;
import org.apache.impala.thrift.TCatalogObject;
+import org.apache.impala.thrift.TCatalogServiceRequestHeader;
import org.apache.impala.thrift.TCreateDropRoleParams;
import org.apache.impala.thrift.TDdlExecResponse;
import org.apache.impala.thrift.TGrantRevokePrivParams;
@@ -192,7 +193,7 @@ public class SentryCatalogdAuthorizationManager implements AuthorizationManager
}
@Override
- public void grantPrivilegeToRole(User requestingUser,
+ public void grantPrivilegeToRole(TCatalogServiceRequestHeader header,
TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
verifySentryServiceEnabled();
@@ -209,8 +210,8 @@ public class SentryCatalogdAuthorizationManager implements AuthorizationManager
List<PrincipalPrivilege> removedGrantOptPrivileges =
Lists.newArrayListWithExpectedSize(privileges.size());
List<PrincipalPrivilege> addedRolePrivileges =
- sentryProxy_.grantRolePrivileges(requestingUser, roleName, privileges,
- params.isHas_grant_opt(), removedGrantOptPrivileges);
+ sentryProxy_.grantRolePrivileges(new User(header.getRequesting_user()), roleName,
+ privileges, params.isHas_grant_opt(), removedGrantOptPrivileges);
Preconditions.checkNotNull(addedRolePrivileges);
List<TCatalogObject> updatedPrivs =
@@ -238,8 +239,8 @@ public class SentryCatalogdAuthorizationManager implements AuthorizationManager
}
@Override
- public void revokePrivilegeFromRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
verifySentryServiceEnabled();
Preconditions.checkArgument(!params.getPrivileges().isEmpty());
@@ -270,8 +271,8 @@ public class SentryCatalogdAuthorizationManager implements AuthorizationManager
List<PrincipalPrivilege> addedRolePrivileges =
Lists.newArrayListWithExpectedSize(privileges.size());
List<PrincipalPrivilege> removedGrantOptPrivileges =
- sentryProxy_.revokeRolePrivileges(requestingUser, roleName, privileges,
- params.isHas_grant_opt(), addedRolePrivileges);
+ sentryProxy_.revokeRolePrivileges(new User(header.getRequesting_user()), roleName,
+ privileges, params.isHas_grant_opt(), addedRolePrivileges);
Preconditions.checkNotNull(addedRolePrivileges);
List<TCatalogObject> updatedPrivs =
@@ -303,29 +304,29 @@ public class SentryCatalogdAuthorizationManager implements AuthorizationManager
}
@Override
- public void grantPrivilegeToUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedFeatureException(
"GRANT <privilege> TO USER is not supported by Sentry.");
}
@Override
- public void revokePrivilegeFromUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedFeatureException(
"REVOKE <privilege> FROM USER is not supported by Sentry.");
}
@Override
- public void grantPrivilegeToGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedFeatureException(
"GRANT <privilege> TO GROUP is not supported by Sentry.");
}
@Override
- public void revokePrivilegeFromGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedFeatureException(
"REVOKE <privilege> FROM GROUP is not supported by Sentry.");
}
diff --git a/fe/src/main/java/org/apache/impala/authorization/sentry/SentryImpaladAuthorizationManager.java b/fe/src/main/java/org/apache/impala/authorization/sentry/SentryImpaladAuthorizationManager.java
index 83abe4b..4e255d3 100644
--- a/fe/src/main/java/org/apache/impala/authorization/sentry/SentryImpaladAuthorizationManager.java
+++ b/fe/src/main/java/org/apache/impala/authorization/sentry/SentryImpaladAuthorizationManager.java
@@ -158,43 +158,43 @@ public class SentryImpaladAuthorizationManager implements AuthorizationManager {
}
@Override
- public void grantPrivilegeToRole(User requestingUser,
+ public void grantPrivilegeToRole(TCatalogServiceRequestHeader header,
TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromRole(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromRole(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void grantPrivilegeToUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromUser(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromUser(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void grantPrivilegeToGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void grantPrivilegeToGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
@Override
- public void revokePrivilegeFromGroup(User requestingUser, TGrantRevokePrivParams params,
- TDdlExecResponse response) throws ImpalaException {
+ public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader header,
+ TGrantRevokePrivParams params, TDdlExecResponse response) throws ImpalaException {
throw new UnsupportedOperationException(String.format(
"%s is not supported in Impalad", ClassUtil.getMethodName()));
}
diff --git a/fe/src/main/java/org/apache/impala/service/CatalogOpExecutor.java b/fe/src/main/java/org/apache/impala/service/CatalogOpExecutor.java
index ce4570b..fc27cdb 100644
--- a/fe/src/main/java/org/apache/impala/service/CatalogOpExecutor.java
+++ b/fe/src/main/java/org/apache/impala/service/CatalogOpExecutor.java
@@ -116,6 +116,7 @@ import org.apache.impala.thrift.TAlterTableType;
import org.apache.impala.thrift.TAlterTableUpdateStatsParams;
import org.apache.impala.thrift.TCatalogObject;
import org.apache.impala.thrift.TCatalogObjectType;
+import org.apache.impala.thrift.TCatalogServiceRequestHeader;
import org.apache.impala.thrift.TCatalogUpdateResult;
import org.apache.impala.thrift.TColumn;
import org.apache.impala.thrift.TColumnName;
@@ -360,11 +361,11 @@ public class CatalogOpExecutor {
response);
break;
case GRANT_PRIVILEGE:
- grantPrivilege(requestingUser, ddlRequest.getGrant_revoke_priv_params(),
+ grantPrivilege(ddlRequest.getHeader(), ddlRequest.getGrant_revoke_priv_params(),
response);
break;
case REVOKE_PRIVILEGE:
- revokePrivilege(requestingUser, ddlRequest.getGrant_revoke_priv_params(),
+ revokePrivilege(ddlRequest.getHeader(), ddlRequest.getGrant_revoke_priv_params(),
response);
break;
case COMMENT_ON:
@@ -3351,23 +3352,25 @@ public class CatalogOpExecutor {
/**
* Grants one or more privileges to role on behalf of the requestingUser.
*/
- private void grantPrivilege(User requestingUser,
+ private void grantPrivilege(TCatalogServiceRequestHeader header,
TGrantRevokePrivParams grantRevokePrivParams, TDdlExecResponse resp)
throws ImpalaException {
- Preconditions.checkNotNull(requestingUser);
+ Preconditions.checkNotNull(header);
Preconditions.checkNotNull(grantRevokePrivParams);
Preconditions.checkNotNull(resp);
Preconditions.checkArgument(grantRevokePrivParams.isIs_grant());
switch (grantRevokePrivParams.principal_type) {
case ROLE:
- authzManager_.grantPrivilegeToRole(requestingUser, grantRevokePrivParams, resp);
+ authzManager_.grantPrivilegeToRole(header, grantRevokePrivParams, resp);
break;
case USER:
- authzManager_.grantPrivilegeToUser(requestingUser, grantRevokePrivParams, resp);
+ authzManager_.grantPrivilegeToUser(header, grantRevokePrivParams,
+ resp);
break;
case GROUP:
- authzManager_.grantPrivilegeToGroup(requestingUser, grantRevokePrivParams, resp);
+ authzManager_.grantPrivilegeToGroup(header, grantRevokePrivParams,
+ resp);
break;
default:
throw new IllegalArgumentException("Unexpected principal type: " +
@@ -3380,26 +3383,23 @@ public class CatalogOpExecutor {
/**
* Revokes one or more privileges to role on behalf of the requestingUser.
*/
- private void revokePrivilege(User requestingUser,
+ private void revokePrivilege(TCatalogServiceRequestHeader header,
TGrantRevokePrivParams grantRevokePrivParams, TDdlExecResponse resp)
throws ImpalaException {
- Preconditions.checkNotNull(requestingUser);
+ Preconditions.checkNotNull(header);
Preconditions.checkNotNull(grantRevokePrivParams);
Preconditions.checkNotNull(resp);
Preconditions.checkArgument(!grantRevokePrivParams.isIs_grant());
switch (grantRevokePrivParams.principal_type) {
case ROLE:
- authzManager_.revokePrivilegeFromRole(requestingUser, grantRevokePrivParams,
- resp);
+ authzManager_.revokePrivilegeFromRole(header, grantRevokePrivParams, resp);
break;
case USER:
- authzManager_.revokePrivilegeFromUser(requestingUser, grantRevokePrivParams,
- resp);
+ authzManager_.revokePrivilegeFromUser(header, grantRevokePrivParams, resp);
break;
case GROUP:
- authzManager_.revokePrivilegeFromGroup(requestingUser, grantRevokePrivParams,
- resp);
+ authzManager_.revokePrivilegeFromGroup(header, grantRevokePrivParams, resp);
break;
default:
throw new IllegalArgumentException("Unexpected principal type: " +
diff --git a/fe/src/main/java/org/apache/impala/service/Frontend.java b/fe/src/main/java/org/apache/impala/service/Frontend.java
index 7b19eed..d0979c0 100644
--- a/fe/src/main/java/org/apache/impala/service/Frontend.java
+++ b/fe/src/main/java/org/apache/impala/service/Frontend.java
@@ -100,11 +100,11 @@ import org.apache.impala.planner.HdfsScanNode;
import org.apache.impala.planner.PlanFragment;
import org.apache.impala.planner.Planner;
import org.apache.impala.planner.ScanNode;
-import org.apache.impala.thrift.TAccessEvent;
import org.apache.impala.thrift.TAlterDbParams;
import org.apache.impala.thrift.TCatalogOpRequest;
import org.apache.impala.thrift.TCatalogOpType;
import org.apache.impala.thrift.TCatalogServiceRequestHeader;
+import org.apache.impala.thrift.TClientRequest;
import org.apache.impala.thrift.TColumn;
import org.apache.impala.thrift.TColumnValue;
import org.apache.impala.thrift.TCommentOnParams;
@@ -577,6 +577,11 @@ public class Frontend {
if (ddl.getOp_type() == TCatalogOpType.DDL) {
TCatalogServiceRequestHeader header = new TCatalogServiceRequestHeader();
header.setRequesting_user(analysis.getAnalyzer().getUser().getName());
+ TQueryCtx queryCtx = analysis.getAnalyzer().getQueryCtx();
+ header.setClient_ip(queryCtx.getSession().getNetwork_address().getHostname());
+ TClientRequest clientRequest = queryCtx.getClient_request();
+ header.setRedacted_sql_stmt(clientRequest.isSetRedacted_stmt() ?
+ clientRequest.getRedacted_stmt() : clientRequest.getStmt());
ddl.getDdl_params().setHeader(header);
ddl.getDdl_params().setSync_ddl(ddl.isSync_ddl());
}
diff --git a/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java b/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
index b559ba1..7b4fcc6 100644
--- a/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
+++ b/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java
@@ -218,7 +218,7 @@ public abstract class AuthorizationTestBase extends FrontendTestBase {
}).collect(Collectors.toList()));
}
- authzManager.grantPrivilege(grants);
+ authzManager.grantPrivilege(grants, "", "127.0.0.1");
rangerImpalaPlugin_.refreshPoliciesAndTags();
}
@@ -229,7 +229,7 @@ public abstract class AuthorizationTestBase extends FrontendTestBase {
@Override
public void cleanUp() throws ImpalaException {
- authzManager.revokePrivilege(grants);
+ authzManager.revokePrivilege(grants, "", "127.0.0.1");
}
@Override
@@ -241,7 +241,7 @@ public abstract class AuthorizationTestBase extends FrontendTestBase {
protected List<GrantRevokeRequest> buildRequest(List<TPrivilege> privileges) {
return RangerCatalogdAuthorizationManager.createGrantRevokeRequests(
RANGER_ADMIN.getName(), true, USER.getName(), Collections.emptyList(),
- rangerImpalaPlugin_.getClusterName(), privileges);
+ rangerImpalaPlugin_.getClusterName(), "127.0.0.1", privileges);
}
}
@@ -252,7 +252,7 @@ public abstract class AuthorizationTestBase extends FrontendTestBase {
return RangerCatalogdAuthorizationManager.createGrantRevokeRequests(
RANGER_ADMIN.getName(), true, null, groups,
- rangerImpalaPlugin_.getClusterName(), privileges);
+ rangerImpalaPlugin_.getClusterName(), "127.0.0.1", privileges);
}
}
diff --git a/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java b/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
index c0837aa..fb85d7b 100644
--- a/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
+++ b/fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java
@@ -35,6 +35,7 @@ import java.util.List;
import java.util.function.Consumer;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
public class RangerAuditLogTest extends AuthorizationTestBase {
private RangerAuthorizationCheckerSpy authzChecker_;
@@ -200,9 +201,11 @@ public class RangerAuditLogTest extends AuthorizationTestBase {
private static void assertEventEquals(String resourceType, String accessType,
String resourcePath, int accessResult, AuthzAuditEvent event) {
assertEquals(resourceType, event.getResourceType());
- assertEquals(accessType, event.getAccessType());
+ assertEquals(accessType.toUpperCase(), event.getAccessType());
assertEquals(resourcePath, event.getResourcePath());
assertEquals(accessResult, event.getAccessResult());
+ assertEquals("test-cluster", event.getClusterName());
+ assertTrue(!event.getClientIP().isEmpty());
}
@Override
diff --git a/fe/src/test/java/org/apache/impala/common/FrontendTestBase.java b/fe/src/test/java/org/apache/impala/common/FrontendTestBase.java
index b3dad6a..9771fe4 100644
--- a/fe/src/test/java/org/apache/impala/common/FrontendTestBase.java
+++ b/fe/src/test/java/org/apache/impala/common/FrontendTestBase.java
@@ -57,6 +57,7 @@ import org.apache.impala.service.Frontend;
import org.apache.impala.testutil.ImpaladTestCatalog;
import org.apache.impala.thrift.TAccessEvent;
import org.apache.impala.thrift.TQueryOptions;
+import org.apache.impala.thrift.TSessionState;
import org.junit.Assert;
import com.google.common.base.Preconditions;
@@ -376,7 +377,7 @@ public class FrontendTestBase extends AbstractFrontendTest {
@Override
public AuthorizationContext createAuthorizationContext(boolean doAudits,
- String sqlStmt) {
+ String sqlStmt, TSessionState sessionState) {
return new AuthorizationContext();
}
};
diff --git a/fe/src/test/resources/ranger-hive-audit.xml b/fe/src/test/resources/ranger-hive-audit.xml
index 5f45144..f9232f3 100644
--- a/fe/src/test/resources/ranger-hive-audit.xml
+++ b/fe/src/test/resources/ranger-hive-audit.xml
@@ -20,4 +20,11 @@
<name>xasecure.audit.is.enabled</name>
<value>false</value>
</property>
+ <!-- RANGER-2458: This property may need to be updated to
+ "ranger.plugin.hive.access.cluster.name" and added to
+ "ranger-hive-security.xml". -->
+ <property>
+ <name>ranger.plugin.hive.ambari.cluster.name</name>
+ <value>test-cluster</value>
+ </property>
</configuration>