Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-11494

Ranger audit log entries generated for authorized query against non-existing tables

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • Impala 4.0.0, Impala 4.1.0
    • Impala 4.2.0
    • Frontend
    • None
    • ghx-label-3

    Description

      We found that Impala will generate (confusing) Ranger audit log entries for a query against non-existing tables when the query is authorized (i.e., no AuthorizationException thrown).

      Specifically, to reproduce the issue, it suffices to perform the following steps.

      1. As the user 'admin', execute in Impala shell "GRANT ALL ON DATABASE functional to user <user_name>" and "GRANT ALL ON DATABASE default to user <user_name>".
      2. Set a break point at auditHandler.flush() and attach a debugger to the Impala daemon.
      3. As the user '<user_name>', execute in Impala shell "SELECT * FROM functional.test_tbl_01", where 'functional.test_tbl_01' is a non-existing table.
      4. Use the debugger to inspect the produced AuthzAuditEvent's. We will find out that there are 2 audit log entries generated like the following. The first is for the table 'functional/test_tbl_01' and the second is for the table 'default/functional'. This could be seen in the field of 'resourcePath' in an AuthzAuditEvent. 
        0 = {AuthzAuditEvent@6887} "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed Aug 10 17:10:29 PDT 2022;accessType=select;resourcePath=functional/test_tbl_01;resourceType=@table;action=select;accessResult=1;agentId=impala;policyId=12;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select * from functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=af92b724-1038-4a2c-9295-2bf6e7fbebe8-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=1;additionalInfo=null}"
1 = {AuthzAuditEvent@6888} "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed Aug 10 17:10:29 PDT 2022;accessType=select;resourcePath=default/functional;resourceType=@table;action=select;accessResult=0;agentId=impala;policyId=-1;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select * from functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=c090e009-d1a5-47ff-8b1e-87a9dfa64824-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=null;additionalInfo=null}"

      We should not generate such confusing audit log entries for an authorized query against non-existing tables.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            fangyurao Fang-Yu Rao
            fangyurao Fang-Yu Rao
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment