Skip to content

HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke (master) #428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 7, 2019
Merged

HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke (master) #428

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cfe58e0
HBASE-22759. Added AUDIT logger to MasterRpcServices grant() revoke()…
anmolnar Jul 29, 2019
5908360
HBASE-22759. Added user's remote address to the log message
anmolnar Aug 6, 2019
98cc13b
HBASE-22759. Checkstyle fixes
anmolnar Aug 7, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,8 @@ public class MasterRpcServices extends RSRpcServices
implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface,
LockService.BlockingInterface, HbckService.BlockingInterface {
private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName());
private static final Logger AUDITLOG =
LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());

private final HMaster master;

Expand Down Expand Up @@ -2584,6 +2586,13 @@ public GrantResponse grant(RpcController controller, GrantRequest request)
if (master.cpHost != null) {
master.cpHost.postGrant(perm, mergeExistingPermissions);
}
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
Copy link
Contributor

@petersomogyi petersomogyi Jul 31, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With parameterized logging in slf4j we don't need isTraceEnabled or isDebugEnabled checks.

Copy link
Contributor Author

@anmolnar anmolnar Aug 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I'll remove it.

// audit log should store permission changes in addition to auth results
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress,
perm);
}
return GrantResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);
Expand All @@ -2605,6 +2614,13 @@ public RevokeResponse revoke(RpcController controller, RevokeRequest request)
if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission);
}
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress,
userPermission);
}
return RevokeResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);
Expand Down