[HBASE-22759] Add user info to AUDITLOG events when doing grant/revoke - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-1, 2.2.0, 2.1.5
Fix Version/s: 3.0.0-alpha-1, 2.3.0, 2.2.1, 2.1.6
Component/s: logging, security
Labels:
None

Description

On branch-2.1 the AUDITLOG events is raised like this:

AUDITLOG.trace("Granted permission " + perm.toString());

I'd like to extend this line with "caller" user info like this:

AUDITLOG.trace("User {} granted permission {}", caller, perm.toString());

Similar change is proposed for Revoke event.

On branch-2.2+ grant() and revoke() methods in AccessController have been deprecated and logic was moved to MasterRpcServices, but that class doesn't do any audit logging. I'm not sure about why audit logging has been removed and about any replacement in the refactored logic, but Audit logging is a crucial security tool in our environment to track change events on ACLs.

I'm planning to add AUDITLOG to MasterRpcServices to bring back this functionality, but please FIXME and point me in the right direction if needed.

Attachments

Issue Links

links to

GitHub Pull Request #427

GitHub Pull Request #428

GitHub Pull Request #445

Activity

People

Assignee:: Andor Molnar

Reporter:: Andor Molnar

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 29/Jul/19 11:22

Updated:: 04/Oct/19 14:55

Resolved:: 07/Aug/19 09:18