Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
-
Important
Description
The parsing logic for HBase audit logs (security logs) fails for some of the newly formatted hbase audit logs. Obviously, this can cause the eagle service to overlook these log lines, and fail to generate alerts, which can have a severe outcome in terms of security. For example:
2016-08-17 14:09:52,232 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user petkim; reason: Table permission granted; remote address: /127.0.0.1; request: flush; context: (user=petkim, scope=hbase:meta, params=[table=hbase:meta],action=ADMIN)
2016-08-17 14:04:27,042 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user petkim; reason: All users allowed; remote address: /111.1.1.1; request: scan; context: (user=petkim, scope=hbase:meta, family=info, params=[table=hbase:meta,family=info],action=READ)
These log lines are not parsed correctly as the fields that the current regex matches are static. The first log does not have the field "family" and the second one has a new field named "params". So, the parsing logic fails here.
To fix this and ensure scalability (reliable no matter how many fields are omitted or added), I will extend the current parsing logic to more reliable.
Attachments
Issue Links
- links to
