You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Duo Zhang (Jira)" <ji...@apache.org> on 2023/01/20 08:59:00 UTC
[jira] [Assigned] (HBASE-27528) log duplication issues in MasterRpcServices

     [ https://issues.apache.org/jira/browse/HBASE-27528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Duo Zhang reassigned HBASE-27528:
---------------------------------

    Assignee: Beibei Zhao

> log duplication issues in MasterRpcServices
> -------------------------------------------
>
>                 Key: HBASE-27528
>                 URL: https://issues.apache.org/jira/browse/HBASE-27528
>             Project: HBase
>          Issue Type: Bug
>          Components: logging, master, rpc, security
>            Reporter: Beibei Zhao
>            Assignee: Beibei Zhao
>            Priority: Major
>
> MasterRpcServices record audit log in privileged operations (grant, revoke) and vital apis like "execMasterService".
> {code:java}
>   public RevokeResponse revoke(RpcController controller, RevokeRequest request)
>     throws ServiceException {
>     try {
>       ......
>         server.cpHost.preRevoke(userPermission); // has audit log in AccessChecker
>        ...... // removeUserPermission
>         User caller = RpcServer.getRequestUser().orElse(null);
>         if (AUDITLOG.isTraceEnabled()) {
>           // audit log should record all permission changes
>           String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
>           AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller,
>             remoteAddress, userPermission);
>         }
>         ......
>   }
> {code}
> but I found a path from *server.cpHost.preRevoke(userPermission);* to {*}AccessChecker audit log{*}, which caused {*}log duplication{*}.
> {code:java}
> public void requireGlobalPermission(User user, String request, Action perm, String namespace)
>     throws IOException {
>     AuthResult authResult;
>     if (authManager.authorizeUserGlobal(user, perm)) {
>       authResult = AuthResult.allow(request, "Global check allowed", user, perm, null);
>       authResult.getParams().setNamespace(namespace);
>       logResult(authResult);
>     } else {
>       authResult = AuthResult.deny(request, "Global check failed", user, perm, null);
>       authResult.getParams().setNamespace(namespace);
>       logResult(authResult);
>       throw new AccessDeniedException(
>         "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null")
>           + "' (global, action=" + perm.toString() + ")");
>     }
>   }
>   public static void logResult(AuthResult result) {
>     if (AUDITLOG.isTraceEnabled()) {
>       User user = result.getUser();
>       UserGroupInformation ugi = user != null ? user.getUGI() : null;
>       AUDITLOG.trace(
>         "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {};"
>           + "auth method: {}",
>         (result.isAllowed() ? "allowed" : "denied"),
>         (user != null ? user.getShortName() : "UNKNOWN"), result.getReason(),
>         RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""), result.getRequest(),
>         result.toContextString(), ugi != null ? ugi.getAuthenticationMethod() : "UNKNOWN");
>     }
>   }
> {code}
> Since *AccessChecker* integrates auditlogs for permission check, I'll delete the log in MasterRpcServices.
> There must be more problems like this, I' ll check it later and commit the code.
> -There are many "write" operations like "deleteTable", which may cause security problems, should also record an audit log.-



--
This message was sent by Atlassian Jira
(v8.20.10#820010)