You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Andor Molnar (JIRA)" <ji...@apache.org> on 2019/07/29 14:18:00 UTC
[jira] [Commented] (HBASE-22759) Add user info to AUDITLOG events
when doing grant/revoke
[ https://issues.apache.org/jira/browse/HBASE-22759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16895290#comment-16895290 ]
Andor Molnar commented on HBASE-22759:
--------------------------------------
I submitted 2 patches with the desired changes: first one is for 2.1, second is for 2.2+ versions.
> Add user info to AUDITLOG events when doing grant/revoke
> --------------------------------------------------------
>
> Key: HBASE-22759
> URL: https://issues.apache.org/jira/browse/HBASE-22759
> Project: HBase
> Issue Type: Improvement
> Components: logging, security
> Affects Versions: 3.0.0, 2.2.0, 2.1.5
> Reporter: Andor Molnar
> Assignee: Andor Molnar
> Priority: Major
> Fix For: 3.0.0, 2.3.0, 2.2.1, 2.1.6
>
>
> On *branch-2.1* the AUDITLOG events is raised like this:
> {noformat}
> AUDITLOG.trace("Granted permission " + perm.toString());{noformat}
> I'd like to extend this line with "caller" user info like this:
> {noformat}
> AUDITLOG.trace("User {} granted permission {}", caller, perm.toString());{noformat}
> Similar change is proposed for Revoke event.
> On branch-2.2+ grant() and revoke() methods in AccessController have been deprecated and logic was moved to {{MasterRpcServices}}, but that class doesn't do any audit logging. I'm not sure about why audit logging has been removed and about any replacement in the refactored logic, but Audit logging is a crucial security tool in our environment to track change events on ACLs.
> I'm planning to add AUDITLOG to {{MasterRpcServices}} to bring back this functionality, but please FIXME and point me in the right direction if needed.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)