Privilege Auditing¶
Logging Details when Processing Privileges¶
To log these details, do this:
Execute this command:
SET 'com.denodo.vdb.security.queryPrivilegesLoggerEnabled' = 'true';
Set the log category
com.denodo.vdb.security.queryPrivilegestoDEBUG. You can do this by editing<DENODO_HOME>/conf/vdp/log4j2.xmlor by executing stored procedure LOGCONTROLLER:
CALL LOGCONTROLLER('com.denodo.vdb.security.queryPrivileges', 'DEBUG');
When enabled, this feature creates an entry log for each view processed in a query detailing loaded privileges for the user and its roles. Take into account that the privileges shown for a specific view are the ones processed to decide the overall privileges over that view. This means there might be more privileges that are not listed if the ones processed where enough already to decide the final privileges. Also, some of these processed privileges might not be part of the final privileges.
This feature is very verbose, so restoring properties to its default values after auditing is strongly recommended:
SET 'com.denodo.vdb.security.queryPrivilegesLoggerEnabled' = 'false';
CALL logcontroller('com.denodo.vdb.security.queryPrivileges', 'error');
Impersonation¶
Virtual DataPort allows impersonation of users or roles in queries to
audit the usage of privileges and policies. By default, only administrator users with the role
impersonator are allowed to impersonate in queries, however there is the chance
for non-admin users to execute queries with impersonator role, just activating this
property:
SET 'com.denodo.vdb.security.allowImpersonateToRegularUsers' = 'true';
There are two types of impersonation:
Impersonation of a local user. Executes the query using the security configuration of a user. Use context clause
impersonate_userin your query like in this example:SELECT ename FROM employee CONTEXT('impersonate_user'='user1');
Impersonation of roles. Executes the query using the security configuration of a set of roles. Take into account that local users and even some external users include by default role
allUsers. Use context clauseimpersonate_rolesin your query like in this example:SELECT ename FROM employee CONTEXT('impersonate_roles'='role1,role2,role3')