Fang-Yu Rao created IMPALA-14991:
------------------------------------
Summary: Consider calling RangerAccessRequestImpl#setAction() when
creating a RangerAccessRequestImpl
Key: IMPALA-14991
URL: https://issues.apache.org/jira/browse/IMPALA-14991
Project: IMPALA
Issue Type: Task
Components: Frontend
Reporter: Fang-Yu Rao
Assignee: Fang-Yu Rao
Currently when constructing a {{RangerAccessRequestImpl}} in
[RangerAuthorizationChecker#authorizeResource()|https://github.com/apache/impala/blob/0802e29/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L87-L194],
we do not explicitly set up the field of '{{{}action{}}}' by calling in
[RangerAccessRequestImpl#setAction()|https://github.com/apache/ranger/blob/3fd46db/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java#L266-L268].
As a result, the field '{{{}action{}}}' would be null, when we pass the
{{RangerAccessRequestImpl}} to the Ranger plug-in at
[plugin_.isAccessAllowed(request,
auditHandler)|https://github.com/apache/impala/blob/0802e29/fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java#L698].
The resulting {{AuthzAuditEvent}} would have had a null field of
'{{{}action{}}}'. But due to RANGER-5594, the field of '{{{}action{}}}' in the
corresponding {{AuthzAuditEvent}} becomes the same as the field
'{{{}accessType{}}}', which is non-null.
In a lot of statements, an {{AuthzAuditEvent}} produced by
[RangerHiveAuthorizer.java|https://github.com/apache/ranger/blob/3fd46db/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java]
has the same value for the fields of '{{{}action{}}}' and '{{{}accessType{}}}'
(or the field of '{{{}access{}}}') so the issue/fact in Impala as described
above seems to be fine.
But for some statements, e.g., "{{{}GRANT ROLE{}}}", one field is
'\{{{GRANT_ROLE}}}', and the other is '\{{{alter}}}' in the Ranger audit event
produced for Apache Hive.
{code:json}
{
"repoType": 3,
"repo": "cm_hive",
"reqUser": "hive",
"evtTime": "2026-05-12 23:52:21.736",
"access": "GRANT_ROLE",
"resource": null,
"resType": "@null",
"action": "alter",
"result": 0,
"agent": "hiveServer2",
"policy": -1,
"reason": null,
"enforcer": "ranger-acl",
"sess": null,
"cliType": null,
"cliIP": "10.140.225.8",
"reqData": "grant role_01 to USER livy ",
"agentHost": "ccycloud-1.cdpd102205d01.root.comops.site",
"logType": "RangerAudit",
"id": "2053b6cd-5a4e-4948-a88b-93401b63ad72-0",
"seq_num": 1,
"event_count": 1,
"event_dur_ms": 1,
"tags": [],
"datasets": null,
"projects": null,
"datasetIds": null,
"additional_info":
"{\"serviceType\":\"hive\",\"forwarded-ip-addresses\":\"[]\",\"remote-ip-address\":\"10.140.225.8\"}",
"cluster_name": "Cluster 1",
"zone_name": null,
"policy_version": null
}
{code}
Of course Impala could have its own way producing the Ranger audit events, but
if the issue of RANGER-5594 is really getting fixed, we may have to populate
the field of '{{{}action{}}}' explicitly on the Impala side if we don't want it
to be null.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
