You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Andor Molnar (JIRA)" <ji...@apache.org> on 2019/07/29 11:23:00 UTC
[jira] [Created] (HBASE-22759) Add user info to AUDITLOG events
when doing grant/revoke
Andor Molnar created HBASE-22759:
------------------------------------
Summary: Add user info to AUDITLOG events when doing grant/revoke
Key: HBASE-22759
URL: https://issues.apache.org/jira/browse/HBASE-22759
Project: HBase
Issue Type: Improvement
Components: logging, security
Affects Versions: 2.1.5, 2.2.0, 3.0.0
Reporter: Andor Molnar
Assignee: Andor Molnar
Fix For: 3.0.0, 2.3.0, 2.2.1, 2.1.6
On *branch-2.1* the AUDITLOG events is raised like this:
{noformat}
AUDITLOG.trace("Granted permission " + perm.toString());{noformat}
I'd like to extend this line with "caller" user info like this:
{noformat}
AUDITLOG.trace("User {} granted permission {}", caller, perm.toString());{noformat}
Similar change is proposed for Revoke event.
On branch-2.2+ grant() and revoke() methods in AccessController have been deprecated and logic was moved to {{MasterRpcServices}}, but that class doesn't do any audit logging. I'm not sure about why audit logging has been removed and about any replacement in the refactored logic, but Audit logging is a crucial security tool in our environment to track change events on ACLs.
I'm planning to add AUDITLOG to {{MasterRpcServices}} to bring back this functionality, but please FIXME and point me in the right direction if needed.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)