Description
Currently when access audits are generated for any operation, only the user name is added in the AuthzAuditEvent object, for the user who requested access. But in many cases, the user gets access though some group or role, of which the user is a member. In these cases, the group or role details is not added to the audit event.
It could be useful for the system administrator or end user, to get the details of group or role through which the user got access.
Please find the details of the approach:
- We can update the principal with which user got access in finally block of RangerPolicyEngineImpl.evaluateAuditPolicies
- We will need to add fields group and role to AuthzAuditEvent
- The audit principal can be updated to audit event in RangerDefaultAuditHandler.getAuthzEvents