You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Andor Molnar (JIRA)" <ji...@apache.org> on 2019/07/29 11:23:00 UTC

[jira] [Created] (HBASE-22759) Add user info to AUDITLOG events when doing grant/revoke

Andor Molnar created HBASE-22759:
------------------------------------

             Summary: Add user info to AUDITLOG events when doing grant/revoke
                 Key: HBASE-22759
                 URL: https://issues.apache.org/jira/browse/HBASE-22759
             Project: HBase
          Issue Type: Improvement
          Components: logging, security
    Affects Versions: 2.1.5, 2.2.0, 3.0.0
            Reporter: Andor Molnar
            Assignee: Andor Molnar
             Fix For: 3.0.0, 2.3.0, 2.2.1, 2.1.6


On *branch-2.1* the AUDITLOG events is raised like this:
{noformat}
AUDITLOG.trace("Granted permission " + perm.toString());{noformat}
I'd like to extend this line with "caller" user info like this:
{noformat}
AUDITLOG.trace("User {} granted permission {}", caller, perm.toString());{noformat}
Similar change is proposed for Revoke event.

On branch-2.2+ grant() and revoke() methods in AccessController have been deprecated and logic was moved to {{MasterRpcServices}}, but that class doesn't do any audit logging. I'm not sure about why audit logging has been removed and about any replacement in the refactored logic, but Audit logging is a crucial security tool in our environment to track change events on ACLs.

I'm planning to add AUDITLOG to {{MasterRpcServices}} to bring back this functionality, but please FIXME and point me in the right direction if needed.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)