Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
Impala 4.0.0, Impala 4.1.0
-
None
-
ghx-label-3
Description
We found that Impala will generate (confusing) Ranger audit log entries for a query against non-existing tables when the query is authorized (i.e., no AuthorizationException thrown).
Specifically, to reproduce the issue, it suffices to perform the following steps.
- As the user 'admin', execute in Impala shell "GRANT ALL ON DATABASE functional to user <user_name>" and "GRANT ALL ON DATABASE default to user <user_name>".
- Set a break point at auditHandler.flush() and attach a debugger to the Impala daemon.
- As the user '<user_name>', execute in Impala shell "SELECT * FROM functional.test_tbl_01", where 'functional.test_tbl_01' is a non-existing table.
- Use the debugger to inspect the produced AuthzAuditEvent's. We will find out that there are 2 audit log entries generated like the following. The first is for the table 'functional/test_tbl_01' and the second is for the table 'default/functional'. This could be seen in the field of 'resourcePath' in an AuthzAuditEvent.
0 = {AuthzAuditEvent@6887} "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed Aug 10 17:10:29 PDT 2022;accessType=select;resourcePath=functional/test_tbl_01;resourceType=@table;action=select;accessResult=1;agentId=impala;policyId=12;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select * from functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=af92b724-1038-4a2c-9295-2bf6e7fbebe8-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=1;additionalInfo=null}" 1 = {AuthzAuditEvent@6888} "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed Aug 10 17:10:29 PDT 2022;accessType=select;resourcePath=default/functional;resourceType=@table;action=select;accessResult=0;agentId=impala;policyId=-1;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select * from functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=c090e009-d1a5-47ff-8b1e-87a9dfa64824-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=null;additionalInfo=null}"
We should not generate such confusing audit log entries for an authorized query against non-existing tables.
Attachments
Issue Links
- links to