You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ps...@apache.org on 2019/08/07 09:17:02 UTC

[hbase] branch branch-2.2 updated: HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke

This is an automated email from the ASF dual-hosted git repository.

psomogyi pushed a commit to branch branch-2.2
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/branch-2.2 by this push:
     new 5b1799a  HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke
5b1799a is described below

commit 5b1799a7750679876892f52e9ef5d5c0f957e6ce
Author: Andor Molnár <an...@cloudera.com>
AuthorDate: Wed Aug 7 11:06:30 2019 +0200

    HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke
---
 .../apache/hadoop/hbase/master/MasterRpcServices.java    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
index c115820..c8b56fb 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@@ -335,6 +335,8 @@ public class MasterRpcServices extends RSRpcServices
       implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface,
         LockService.BlockingInterface, HbckService.BlockingInterface {
   private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName());
+  private static final Logger AUDITLOG =
+      LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());
 
   private final HMaster master;
 
@@ -2542,6 +2544,13 @@ public class MasterRpcServices extends RSRpcServices
       if (master.cpHost != null) {
         master.cpHost.postGrant(perm, mergeExistingPermissions);
       }
+      User caller = RpcServer.getRequestUser().orElse(null);
+      if (AUDITLOG.isTraceEnabled()) {
+        // audit log should store permission changes in addition to auth results
+        String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
+        AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress,
+                perm);
+      }
       return GrantResponse.getDefaultInstance();
     } catch (IOException ioe) {
       throw new ServiceException(ioe);
@@ -2563,6 +2572,13 @@ public class MasterRpcServices extends RSRpcServices
       if (master.cpHost != null) {
         master.cpHost.postRevoke(userPermission);
       }
+      User caller = RpcServer.getRequestUser().orElse(null);
+      if (AUDITLOG.isTraceEnabled()) {
+        // audit log should record all permission changes
+        String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
+        AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress,
+                userPermission);
+      }
       return RevokeResponse.getDefaultInstance();
     } catch (IOException ioe) {
       throw new ServiceException(ioe);