You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2019/10/29 05:04:40 UTC
Review Request 71693: RANGER-2631: Ranger Audit logs for for SHOW
commands related to ROLE operations in Hive
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71693/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2631
https://issues.apache.org/jira/browse/RANGER-2631
Repository: ranger
Description
-------
RANGER-2631: Ranger Audit logs for for SHOW commands related to ROLE operations in Hive
Diffs
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java 765da59
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java f10bde4
Diff: https://reviews.apache.org/r/71693/diff/1/
Testing
-------
Testing done by executing following hive commands
CREATE ROLE, DROP ROLE, SHOW ROLES, SHOW PRINCIPAL <role>, GRANT ROLE, REVOKE ROLE, SHOW CURRENT ROLE
Thanks,
Ramesh Mani
Re: Review Request 71693: RANGER-2631: Ranger Audit logs for for SHOW
commands related to ROLE operations in Hive
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71693/#review218991
-----------------------------------------------------------
Ship it!
Ship It!
- Abhay Kulkarni
On Nov. 7, 2019, 6:45 a.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71693/
> -----------------------------------------------------------
>
> (Updated Nov. 7, 2019, 6:45 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2631
> https://issues.apache.org/jira/browse/RANGER-2631
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2631: Ranger Audit logs for for SHOW commands related to ROLE operations in Hive
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java 765da59
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java f10bde4
>
>
> Diff: https://reviews.apache.org/r/71693/diff/2/
>
>
> Testing
> -------
>
> Testing done by executing following hive commands
> CREATE ROLE, DROP ROLE, SHOW ROLES, SHOW PRINCIPAL <role>, GRANT ROLE, REVOKE ROLE, SHOW CURRENT ROLE
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71693: RANGER-2631: Ranger Audit logs for for SHOW
commands related to ROLE operations in Hive
Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71693/
-----------------------------------------------------------
(Updated Nov. 7, 2019, 6:45 a.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Fixed review comments
Bugs: RANGER-2631
https://issues.apache.org/jira/browse/RANGER-2631
Repository: ranger
Description
-------
RANGER-2631: Ranger Audit logs for for SHOW commands related to ROLE operations in Hive
Diffs (updated)
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java 765da59
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java f10bde4
Diff: https://reviews.apache.org/r/71693/diff/2/
Changes: https://reviews.apache.org/r/71693/diff/1-2/
Testing
-------
Testing done by executing following hive commands
CREATE ROLE, DROP ROLE, SHOW ROLES, SHOW PRINCIPAL <role>, GRANT ROLE, REVOKE ROLE, SHOW CURRENT ROLE
Thanks,
Ramesh Mani
Re: Review Request 71693: RANGER-2631: Ranger Audit logs for for SHOW
commands related to ROLE operations in Hive
Posted by Ramesh Mani <rm...@hortonworks.com>.
> On Oct. 30, 2019, 9:39 p.m., Sailaja Polavarapu wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
> > Lines 47 (patched)
> > <https://reviews.apache.org/r/71693/diff/1/?file=2170648#file2170648line47>
> >
> > Please add show current roles command as well.
HiveOperationType does have show current roles as now. I shall raise a bug to hive to take care of this. Once its done we can fix this issue.
> On Oct. 30, 2019, 9:39 p.m., Sailaja Polavarapu wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
> > Lines 106 (patched)
> > <https://reviews.apache.org/r/71693/diff/1/?file=2170649#file2170649line106>
> >
> > Similarly show role grant command is also supported for group and role.
> >
> > SHOW ROLE GRANT (USER|GROUP|ROLE) principal_name;
show role grant is not implemented yet in Ranger. I shall take care of this in separate patch.
- Ramesh
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71693/#review218464
-----------------------------------------------------------
On Nov. 7, 2019, 6:45 a.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71693/
> -----------------------------------------------------------
>
> (Updated Nov. 7, 2019, 6:45 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2631
> https://issues.apache.org/jira/browse/RANGER-2631
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2631: Ranger Audit logs for for SHOW commands related to ROLE operations in Hive
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java 765da59
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java f10bde4
>
>
> Diff: https://reviews.apache.org/r/71693/diff/2/
>
>
> Testing
> -------
>
> Testing done by executing following hive commands
> CREATE ROLE, DROP ROLE, SHOW ROLES, SHOW PRINCIPAL <role>, GRANT ROLE, REVOKE ROLE, SHOW CURRENT ROLE
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71693: RANGER-2631: Ranger Audit logs for for SHOW
commands related to ROLE operations in Hive
Posted by Sailaja Polavarapu <sp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71693/#review218464
-----------------------------------------------------------
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
Lines 47 (patched)
<https://reviews.apache.org/r/71693/#comment306195>
Please add show current roles command as well.
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 105 (patched)
<https://reviews.apache.org/r/71693/#comment306193>
Add one more command for show current roles.
Also grant and revoke role commands are supported for group(s) and role(s) as well. Multiple users/groups/roles can be specified with comma separated values.
These commands also support with or without "ADMIN OPTION". Not sure if we want to capture it here.
Format of these commands are:
GRANT role_name [, role_name] ...
TO principal_specification [, principal_specification] ...
[ WITH ADMIN OPTION ];
principal_specification
: USER user
| GROUP group
| ROLE role
REVOKE [ADMIN OPTION FOR] role_name [, role_name] ...
FROM principal_specification [, principal_specification] ... ;
principal_specification
: USER user
| GROUP group
| ROLE role
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 106 (patched)
<https://reviews.apache.org/r/71693/#comment306194>
Similarly show role grant command is also supported for group and role.
SHOW ROLE GRANT (USER|GROUP|ROLE) principal_name;
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 435 (patched)
<https://reviews.apache.org/r/71693/#comment306197>
I think we need to pass on hivePrincipals as to createAuditEvent as these are the ones that are granted to a role or revoked from a role.
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Line 469 (original), 509 (patched)
<https://reviews.apache.org/r/71693/#comment306198>
Similar to grantRole, hivePrincipals should be caputured in the audit event. For each HivePrincipal, we can get the type (user, group, or role).
principal.getType()
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 2533 (patched)
<https://reviews.apache.org/r/71693/#comment306196>
Nit pick - Method name mispelled? createRangerHiveAccessRequest
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 2596 (patched)
<https://reviews.apache.org/r/71693/#comment306199>
Please review Grant and Revoke commands as commented above.
- Sailaja Polavarapu
On Oct. 29, 2019, 5:04 a.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71693/
> -----------------------------------------------------------
>
> (Updated Oct. 29, 2019, 5:04 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2631
> https://issues.apache.org/jira/browse/RANGER-2631
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2631: Ranger Audit logs for for SHOW commands related to ROLE operations in Hive
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java 765da59
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java f10bde4
>
>
> Diff: https://reviews.apache.org/r/71693/diff/1/
>
>
> Testing
> -------
>
> Testing done by executing following hive commands
> CREATE ROLE, DROP ROLE, SHOW ROLES, SHOW PRINCIPAL <role>, GRANT ROLE, REVOKE ROLE, SHOW CURRENT ROLE
>
>
> Thanks,
>
> Ramesh Mani
>
>