Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-11494

Ranger audit log entries generated for authorized query against non-existing tables

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • Impala 4.0.0, Impala 4.1.0
    • Impala 4.2.0
    • Frontend
    • None
    • ghx-label-3

    Description

      We found that Impala will generate (confusing) Ranger audit log entries for a query against non-existing tables when the query is authorized (i.e., no AuthorizationException thrown).

      Specifically, to reproduce the issue, it suffices to perform the following steps.

      1. As the user 'admin', execute in Impala shell "GRANT ALL ON DATABASE functional to user <user_name>" and "GRANT ALL ON DATABASE default to user <user_name>".
      2. Set a break point at auditHandler.flush() and attach a debugger to the Impala daemon.
      3. As the user '<user_name>', execute in Impala shell "SELECT * FROM functional.test_tbl_01", where 'functional.test_tbl_01' is a non-existing table.
      4. Use the debugger to inspect the produced AuthzAuditEvent's. We will find out that there are 2 audit log entries generated like the following. The first is for the table 'functional/test_tbl_01' and the second is for the table 'default/functional'. This could be seen in the field of 'resourcePath' in an AuthzAuditEvent. 
        0 = {AuthzAuditEvent@6887} "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed Aug 10 17:10:29 PDT 2022;accessType=select;resourcePath=functional/test_tbl_01;resourceType=@table;action=select;accessResult=1;agentId=impala;policyId=12;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select * from functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=af92b724-1038-4a2c-9295-2bf6e7fbebe8-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=1;additionalInfo=null}"
1 = {AuthzAuditEvent@6888} "AuthzAuditEvent{repositoryType=3;repositoryName=test_impala;user=fangyurao;eventTime=Wed Aug 10 17:10:29 PDT 2022;accessType=select;resourcePath=default/functional;resourceType=@table;action=select;accessResult=0;agentId=impala;policyId=-1;resultReason=null;aclEnforcer=ranger-acl;sessionId=null;clientType=null;clientIP=127.0.0.1;requestData=select * from functional.test_tbl_01;agentHostname=fangyu-upstream-dev.gce.cloudera.com;logType=RangerAudit;eventId=c090e009-d1a5-47ff-8b1e-87a9dfa64824-0;seq_num=0;event_count=1;event_dur_ms=0;tags=[];clusterName=test-cluster;zoneName=null;policyVersion=null;additionalInfo=null}"

      We should not generate such confusing audit log entries for an authorized query against non-existing tables.

      Attachments

        Issue Links

          links to

          Web Link Patch for the JIRA

          Activity

            People

              fangyurao Fang-Yu Rao
              fangyurao Fang-Yu Rao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: