Privilege Auditing¶
Logging Details when Processing Privileges¶
To log these details, do this:
Execute this command:
SET 'com.denodo.vdb.security.queryPrivilegesLoggerEnabled' = 'true';
Set the log category
com.denodo.vdb.security.queryPrivileges
toDEBUG
. You can do this by editing<DENODO_HOME>/conf/vdp/log4j2.xml
or by executing stored procedure LOGCONTROLLER:
CALL LOGCONTROLLER('com.denodo.vdb.security.queryPrivileges', 'DEBUG');
When enabled, this feature creates an entry log for each view processed in a query detailing loaded privileges for the user and its roles. Take into account that the privileges shown for a specific view are the ones processed to decide the overall privileges over that view. This means there might be more privileges that are not listed if the ones processed where enough already to decide the final privileges. Also, some of these processed privileges might not be part of the final privileges.
This feature is very verbose, so restoring properties to its default values after auditing is strongly recommended:
SET 'com.denodo.vdb.security.queryPrivilegesLoggerEnabled' = 'false';
CALL logcontroller('com.denodo.vdb.security.queryPrivileges', 'error');
Impersonation¶
Virtual DataPort allows impersonation of users or roles in queries to
audit the usage of privileges and policies. By default, only administrator users with the role
impersonator
are allowed to impersonate in queries, however there is the chance
for non-admin users to execute queries with impersonator
role, just activating this
property:
SET 'com.denodo.vdb.security.allowImpersonateToRegularUsers' = 'true';
There are two types of impersonation:
Impersonation of a local user. Executes the query using the security configuration of a user. Use context clause
impersonate_user
in your query like in this example:SELECT ename FROM employee CONTEXT('impersonate_user'='user1');
Impersonation of roles. Executes the query using the security configuration of a set of roles. Take into account that local users and even some external users include by default role
allUsers
. Use context clauseimpersonate_roles
in your query like in this example:SELECT ename FROM employee CONTEXT('impersonate_roles'='role1,role2,role3')