You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2017/10/16 23:20:50 UTC
Review Request 63055: Audit log records for 'use dbName' and 'show
databases' hive commands contain large number of tags
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63055/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj and Ramesh Mani.
Bugs: RANGER-1841
https://issues.apache.org/jira/browse/RANGER-1841
Repository: ranger
Description
-------
When a Hive service is configured for tag-based authorization, the audit log generated for ‘use dbName’ or 'show databases' command would contain all the tags associated with: the database, all tables in the database, all the columns in the database. The number of tags in this audit log could be too many; and having such large number of tags in audit logs of 'use <dbName>' command may not be useful. It will be better not to log tags in audit logs for 'use <dbName>' commands. Policy-id recorded in the audit log can be used to identity the tag, if a tag-based policy authorized the command.
Diffs
-----
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java 9dea37a
Diff: https://reviews.apache.org/r/63055/diff/1/
Testing
-------
Tested with local VM
Thanks,
Abhay Kulkarni
Re: Review Request 63055: Audit log records for 'use dbName' and 'show
databases' hive commands contain large number of tags
Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63055/#review188238
-----------------------------------------------------------
Ship it!
Ship It!
- Ramesh Mani
On Oct. 16, 2017, 11:20 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63055/
> -----------------------------------------------------------
>
> (Updated Oct. 16, 2017, 11:20 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj and Ramesh Mani.
>
>
> Bugs: RANGER-1841
> https://issues.apache.org/jira/browse/RANGER-1841
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When a Hive service is configured for tag-based authorization, the audit log generated for ‘use dbName’ or 'show databases' command would contain all the tags associated with: the database, all tables in the database, all the columns in the database. The number of tags in this audit log could be too many; and having such large number of tags in audit logs of 'use <dbName>' command may not be useful. It will be better not to log tags in audit logs for 'use <dbName>' commands. Policy-id recorded in the audit log can be used to identity the tag, if a tag-based policy authorized the command.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java 9dea37a
>
>
> Diff: https://reviews.apache.org/r/63055/diff/1/
>
>
> Testing
> -------
>
> Tested with local VM
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 63055: Audit log records for 'use dbName' and 'show
databases' hive commands contain large number of tags
Posted by Alejandro Fernandez <af...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63055/#review188244
-----------------------------------------------------------
Ship it!
Ship It!
- Alejandro Fernandez
On Oct. 16, 2017, 11:20 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63055/
> -----------------------------------------------------------
>
> (Updated Oct. 16, 2017, 11:20 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj and Ramesh Mani.
>
>
> Bugs: RANGER-1841
> https://issues.apache.org/jira/browse/RANGER-1841
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When a Hive service is configured for tag-based authorization, the audit log generated for ‘use dbName’ or 'show databases' command would contain all the tags associated with: the database, all tables in the database, all the columns in the database. The number of tags in this audit log could be too many; and having such large number of tags in audit logs of 'use <dbName>' command may not be useful. It will be better not to log tags in audit logs for 'use <dbName>' commands. Policy-id recorded in the audit log can be used to identity the tag, if a tag-based policy authorized the command.
>
>
> Diffs
> -----
>
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java 9dea37a
>
>
> Diff: https://reviews.apache.org/r/63055/diff/1/
>
>
> Testing
> -------
>
> Tested with local VM
>
>
> Thanks,
>
> Abhay Kulkarni
>
>