Privilege auditing

Logging Details when Processing Privileges

To log these details, do this:

  1. Execute this command:

SET 'com.denodo.vdb.security.queryPrivilegesLoggerEnabled' = 'true';
  1. Set the log category com.denodo.vdb.security.queryPrivileges must be set to DEBUG, either by editing <DENODO_HOME>/conf/vdp/log4j2.xml or by executing stored procedure LOGCONTROLLER:

The changes done with LOGCONTROLLER are lost when stopping Virtual DataPort
CALL LOGCONTROLLER('com.denodo.vdb.security.queryPrivileges', 'DEBUG');

When enabled, this feature creates an entry log for each view processed in a query detailing loaded privileges for the user and its roles. Take into account that the privileges shown for a specific view are the ones processed to decide the overall privileges over that view. This means there might be more privileges that are not listed if the ones processed where enough already to decide the final privileges. Also, some of these processed privileges might not be part of the final privileges.

This feature is very verbose, so restoring properties to its default values after auditing is strongly recommended:

SET 'com.denodo.vdb.security.queryPrivilegesLoggerEnabled' = 'false';
call logcontroller('com.denodo.vdb.security.queryPrivileges', 'error');

Impersonation

Virtual DataPort allows impersonation of users or roles in queries to audit the usage of privileges and policies. Only administrator users with the role impersonator are allowed to impersonate in queries. Two types of impersonation can be used:

  • Impersonation of a local user. Executes the query using the security configuration of a user. Use context clause impersonate_user in your query like in this example:

    SELECT ename
    FROM employee
    CONTEXT('impersonate_user'='user1');
    
  • Impersonation of roles. Executes the query using the security configuration of a set of roles. Take into account that local users and even some external users include by default role allUsers. Use context clause impersonate_roles in your query like in this example:

    SELECT ename
    FROM employee
    CONTEXT('impersonate_roles'='role1,role2,role3')