You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by zh...@apache.org on 2021/12/04 15:00:06 UTC
[hbase] branch master updated: HBASE-26517 Add auth method information to AccessChecker audit log (#3897)
This is an automated email from the ASF dual-hosted git repository.
zhangduo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/master by this push:
new cf5bc6a HBASE-26517 Add auth method information to AccessChecker audit log (#3897)
cf5bc6a is described below
commit cf5bc6afcad9547edffb7bb0d8d85a4ff4a0e1b7
Author: Tomu Tsuruhara <to...@gmail.com>
AuthorDate: Sat Dec 4 23:59:29 2021 +0900
HBASE-26517 Add auth method information to AccessChecker audit log (#3897)
Signed-off-by: Duo Zhang <zh...@apache.org>
---
.../apache/hadoop/hbase/security/access/AccessChecker.java | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java
index 6a2308c..be968e5 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java
@@ -46,6 +46,7 @@ import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.HadoopKerberosName;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.yetus.audience.InterfaceAudience;
import org.apache.yetus.audience.InterfaceStability;
import org.slf4j.Logger;
@@ -366,12 +367,16 @@ public class AccessChecker {
public static void logResult(AuthResult result) {
if (AUDITLOG.isTraceEnabled()) {
+ User user = result.getUser();
+ UserGroupInformation ugi = user != null ? user.getUGI() : null;
AUDITLOG.trace(
- "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {}",
+ "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {};" +
+ "auth method: {}",
(result.isAllowed() ? "allowed" : "denied"),
- (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN"),
+ (user != null ? user.getShortName() : "UNKNOWN"),
result.getReason(), RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""),
- result.getRequest(), result.toContextString());
+ result.getRequest(), result.toContextString(),
+ ugi != null ? ugi.getAuthenticationMethod() : "UNKNOWN");
}
}