From 0a4b63a9c66497bb63542887da9af50121a03968 Mon Sep 17 00:00:00 2001
From: yangxuze <xuze_yang@163.com>
Date: Sat, 30 Apr 2022 20:59:07 +0800
Subject: [PATCH 1/1] RANGER-3685: hive 'show' sql produces excessive audit log
---
.../hadoop/constants/RangerHadoopConstants.java | 2 ++
.../hive/authorizer/RangerHiveAuthorizer.java | 11 +++++++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
index 6675125e1..fbe8637b0 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
@@ -44,6 +44,8 @@
public static final String HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE = "NONE";
public static final String HIVE_URI_PERMISSION_COARSE_CHECK = "xasecure.hive.uri.permission.coarse.check";
public static final boolean HIVE_URI_PERMISSION_COARSE_CHECK_DEFAULT_VALUE = false;
+ public static final String HIVE_RECORD_AUDIT_OF_HIVE_SHOW_SQL_PROP = "xasecure.hive.record.audit.of.hive.show.sql";
+ public static final boolean HIVE_RECORD_AUDIT_OF_HIVE_SHOW_SQL_DEFAULT_VALUE = true;
public static final String HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP = "xasecure.hbase.update.xapolicies.on.grant.revoke";
public static final boolean HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 2fd257722..6d8d22373 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -1128,7 +1128,10 @@ public void checkPrivileges(HiveOperationType hiveOpType,
RangerPerfTracer perf = null;
- RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
+ RangerHiveAuditHandler auditHandler = null;
+ if(hivePlugin.RecordAuditOfHiveShowSql){
+ auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
+ }
if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.filterListCmdObjects()");
@@ -1204,7 +1207,9 @@ public void checkPrivileges(HiveOperationType hiveOpType,
}
}
- auditHandler.flushAudit();
+ if(hivePlugin.RecordAuditOfHiveShowSql){
+ auditHandler.flushAudit();
+ }
RangerPerfTracer.log(perf);
@@ -3234,6 +3239,7 @@ public void fetchHiveObjForAlterTable(HiveAuthzContext context) {
public static boolean UpdateXaPoliciesOnGrantRevoke = RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE;
public static boolean BlockUpdateIfRowfilterColumnMaskSpecified = RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE;
public static String DescribeShowTableAuth = RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE;
+ public static boolean RecordAuditOfHiveShowSql = RangerHadoopConstants.HIVE_RECORD_AUDIT_OF_HIVE_SHOW_SQL_DEFAULT_VALUE;
private static String RANGER_PLUGIN_HIVE_ULRAUTH_FILESYSTEM_SCHEMES = "ranger.plugin.hive.urlauth.filesystem.schemes";
private static String RANGER_PLUGIN_HIVE_ULRAUTH_FILESYSTEM_SCHEMES_DEFAULT = "hdfs:,file:";
@@ -3252,6 +3258,7 @@ public void init() {
RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke = getConfig().getBoolean(RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP, RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE);
RangerHivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified = getConfig().getBoolean(RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_PROP, RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE);
RangerHivePlugin.DescribeShowTableAuth = getConfig().get(RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP, RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE);
+ RangerHivePlugin.RecordAuditOfHiveShowSql = getConfig().getBoolean(RangerHadoopConstants.HIVE_RECORD_AUDIT_OF_HIVE_SHOW_SQL_PROP, RangerHadoopConstants.HIVE_RECORD_AUDIT_OF_HIVE_SHOW_SQL_DEFAULT_VALUE);
String fsSchemesString = getConfig().get(RANGER_PLUGIN_HIVE_ULRAUTH_FILESYSTEM_SCHEMES, RANGER_PLUGIN_HIVE_ULRAUTH_FILESYSTEM_SCHEMES_DEFAULT);
fsScheme = StringUtils.split(fsSchemesString, FILESYSTEM_SCHEMES_SEPARATOR_CHAR);
--
2.33.1.windows.1
ranger patch
最新推荐文章于 2024-04-26 16:43:28 发布