You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Bryan Beaudreault (Jira)" <ji...@apache.org> on 2021/08/01 14:42:00 UTC

[jira] [Commented] (HBASE-26160) Configurable disallowlist for live editing of loglevels

    [ https://issues.apache.org/jira/browse/HBASE-26160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391171#comment-17391171 ] 

Bryan Beaudreault commented on HBASE-26160:
-------------------------------------------

Linked PR adds a new configuration hbase.ui.logLevels.readonly.loggers, which accepts a comma separated list of loggers which cannot be modified by the logLevel page. Results in an error like this:

 
h2. HTTP ERROR 403 Modification of logger org.apache.hadoop.hbase.security.access not allowed.
||URI:|/logLevel|
||STATUS:|403|
||MESSAGE:|Modification of logger org.apache.hadoop.hbase.security.access not allowed.|
||SERVLET:|logLevel|

> Configurable disallowlist for live editing of loglevels
> -------------------------------------------------------
>
>                 Key: HBASE-26160
>                 URL: https://issues.apache.org/jira/browse/HBASE-26160
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Bryan Beaudreault
>            Assignee: Bryan Beaudreault
>            Priority: Minor
>
> We currently use log4j/slf4j for audit logging in AccessController. This is convenient but presents a security/compliance risk because we allow live-editing of logLevels via the UI. One can simply set the logger to OFF and then perform actions un-audited.
> We should add a configuration for setting certain log levels to read-only



--
This message was sent by Atlassian Jira
(v8.3.4#803005)