You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ps...@apache.org on 2019/08/07 09:17:02 UTC
[hbase] branch branch-2.2 updated: HBASE-22759 Add user info to
AUDITLOG events when doing grant/revoke
This is an automated email from the ASF dual-hosted git repository.
psomogyi pushed a commit to branch branch-2.2
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.2 by this push:
new 5b1799a HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke
5b1799a is described below
commit 5b1799a7750679876892f52e9ef5d5c0f957e6ce
Author: Andor Molnár <an...@cloudera.com>
AuthorDate: Wed Aug 7 11:06:30 2019 +0200
HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke
---
.../apache/hadoop/hbase/master/MasterRpcServices.java | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
index c115820..c8b56fb 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@@ -335,6 +335,8 @@ public class MasterRpcServices extends RSRpcServices
implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface,
LockService.BlockingInterface, HbckService.BlockingInterface {
private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName());
+ private static final Logger AUDITLOG =
+ LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());
private final HMaster master;
@@ -2542,6 +2544,13 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) {
master.cpHost.postGrant(perm, mergeExistingPermissions);
}
+ User caller = RpcServer.getRequestUser().orElse(null);
+ if (AUDITLOG.isTraceEnabled()) {
+ // audit log should store permission changes in addition to auth results
+ String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
+ AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress,
+ perm);
+ }
return GrantResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);
@@ -2563,6 +2572,13 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission);
}
+ User caller = RpcServer.getRequestUser().orElse(null);
+ if (AUDITLOG.isTraceEnabled()) {
+ // audit log should record all permission changes
+ String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
+ AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress,
+ userPermission);
+ }
return RevokeResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);