Return-Path: <commits-return-3293-archive-asf-public=cust-asf.ponee.io@ranger.incubator.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 96690200BFF
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 17 Jan 2017 20:07:48 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 95382160B46; Tue, 17 Jan 2017 19:07:48 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id E23F3160B30
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 17 Jan 2017 20:07:47 +0100 (CET)
Received: (qmail 29929 invoked by uid 500); 17 Jan 2017 19:07:47 -0000
Mailing-List: contact commits-help@ranger.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@ranger.incubator.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@ranger.incubator.apache.org>
List-Post: <mailto:commits@ranger.incubator.apache.org>
List-Id: <commits.ranger.incubator.apache.org>
Reply-To: dev@ranger.incubator.apache.org
Delivered-To: mailing list commits@ranger.incubator.apache.org
Received: (qmail 29920 invoked by uid 99); 17 Jan 2017 19:07:47 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jan 2017 19:07:47 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id A5B0418066C
	for <commits@ranger.apache.org>; Tue, 17 Jan 2017 19:07:46 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -6.219
X-Spam-Level: 
X-Spam-Status: No, score=-6.219 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-2.999] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id p9e-EzUsP0T8 for <commits@ranger.apache.org>;
	Tue, 17 Jan 2017 19:07:45 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 2CE3A5F4AC
	for <commits@ranger.incubator.apache.org>; Tue, 17 Jan 2017 19:07:44 +0000 (UTC)
Received: (qmail 29907 invoked by uid 99); 17 Jan 2017 19:07:43 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jan 2017 19:07:43 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 36EB3DFADC; Tue, 17 Jan 2017 19:07:43 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: vel@apache.org
To: commits@ranger.incubator.apache.org
Message-Id: <5ca8aed9b9ec41f2a08323f06f1b244f@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: incubator-ranger git commit: RANGER-1233: Audit logs not showing up
 for denied hbase scan operation for tag based policy
Date: Tue, 17 Jan 2017 19:07:43 +0000 (UTC)
archived-at: Tue, 17 Jan 2017 19:07:48 -0000

Repository: incubator-ranger
Updated Branches:
  refs/heads/master 387aaf8a9 -> b2774746c


RANGER-1233: Audit logs not showing up for denied hbase scan operation for tag based policy

Signed-off-by: Velmurugan Periasamy <vel@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b2774746
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b2774746
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b2774746

Branch: refs/heads/master
Commit: b2774746c65f037d5bab2e04b6db24122abe9405
Parents: 387aaf8
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Tue Dec 27 10:34:24 2016 -0800
Committer: Velmurugan Periasamy <vel@apache.org>
Committed: Tue Jan 17 14:07:15 2017 -0500

----------------------------------------------------------------------
 .../ranger/authorization/hbase/HbaseAuditHandlerImpl.java | 10 +++++++---
 .../hbase/RangerAuthorizationCoprocessor.java             |  4 ++++
 2 files changed, 11 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b2774746/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
index 845cd51..1dc06eb 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/HbaseAuditHandlerImpl.java
@@ -52,6 +52,9 @@ public class HbaseAuditHandlerImpl extends RangerDefaultAuditHandler implements
 		}
 		_mostRecentEvent = event;
 
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> getAuthzEvents: mostRecentEvent:" + _mostRecentEvent);
+		}
 		// We return null because we don't want default audit handler to audit anything!
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("<== HbaseAuditHandlerImpl.getAuthzEvents(" + result + "): null");
@@ -134,13 +137,14 @@ public class HbaseAuditHandlerImpl extends RangerDefaultAuditHandler implements
 	
 	void applySuperUserOverride(AuthzAuditEvent event) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== HbaseAuditHandlerImpl.applySuperUserOverride(" + event + ")");
+			LOG.debug("==> HbaseAuditHandlerImpl.applySuperUserOverride(" + event + ")");
 		}
 		if (event != null && _superUserOverride) {
-			event.setAccessResult((short)1);
+			event.setAccessResult((short) 1);
+			event.setPolicyId(-1);
 		}
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> HbaseAuditHandlerImpl.applySuperUserOverride(...)");
+			LOG.debug("<== HbaseAuditHandlerImpl.applySuperUserOverride(...)");
 		}
 	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b2774746/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index b28a10e..cc61a83 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -408,6 +408,10 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 					}
 				} else {
 					everythingIsAccessible = false;
+					if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event
+						LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event.");
+						deniedEvent = auditEvent;
+					}
 					if (LOG.isDebugEnabled()) {
 						LOG.debug("evaluateAccess: no family level access [" + family + "].  Checking if has partial access (of any type)...");
 					}