Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-6386

Audit log messages do not include column family / qualifier information consistently

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.95.2
    • 0.95.0
    • security
    • None
    • Hide
      Here is how output now looks:

      request: put; context: (user=th30z, scope=test-table, family=cf0:q|cf1:q, action=WRITE)
      request: put; context: (user=th30z, scope=.META., family=info:server|info:serverstartcode, action=WRITE)
      request: get; context: (user=th30z, scope=.META., family=info, action=READ)
      request: get; context: (user=th30z, scope=testtb, family=cf|cf2, action=READ)
      request: get; context: (user=th30z, scope=testtb, family=cf:q, action=READ)
      request: scannerOpen; context: (user=th30z, scope=testtb, family=cf|cf2, action=READ)
      request: scannerOpen; context: (user=th30z, scope=testtb, family=cf:q, action=READ)
      request: scannerOpen; context: (user=th30z, scope=testtb, family=cf:q|cf2:q, action=READ)
      request: delete; context: (user=th30z, scope=testtb, family=cf:q, action=WRITE)
      Show
      Here is how output now looks: request: put; context: (user=th30z, scope=test-table, family=cf0:q|cf1:q, action=WRITE) request: put; context: (user=th30z, scope=.META., family=info:server|info:serverstartcode, action=WRITE) request: get; context: (user=th30z, scope=.META., family=info, action=READ) request: get; context: (user=th30z, scope=testtb, family=cf|cf2, action=READ) request: get; context: (user=th30z, scope=testtb, family=cf:q, action=READ) request: scannerOpen; context: (user=th30z, scope=testtb, family=cf|cf2, action=READ) request: scannerOpen; context: (user=th30z, scope=testtb, family=cf:q, action=READ) request: scannerOpen; context: (user=th30z, scope=testtb, family=cf:q|cf2:q, action=READ) request: delete; context: (user=th30z, scope=testtb, family=cf:q, action=WRITE)

    Description

      The code related to this issue is in AccessController.java:permissionGranted().

      When creating audit logs, that method will do one of the following:

      • grant access, create audit log with table name only
      • deny access because of table permission, create audit log with table name only
      • deny access because of column family / qualifier permission, create audit log with specific family / qualifier

      So, in the case where more than one column family and/or qualifier are in the same request, there will be a loss of information. Even in the case where only one column family and/or qualifier is involved, information may be lost.

      It would be better if this behavior consistently included all the information in the request; regardless of access being granted or denied, and regardless which permission caused the denial, the column family and qualifier info should be part of the audit log message.

      Attachments

        1. HBASE-6386-v4.patch
          19 kB
          Matteo Bertozzi
        2. HBASE-6386-v3.patch
          19 kB
          Matteo Bertozzi
        3. hbase-6386-v2.patch
          15 kB
          Marcelo Masiero Vanzin
        4. hbase-6386-v1.patch
          14 kB
          Marcelo Masiero Vanzin

        Issue Links

          depends upon

          Sub-task - The sub-task of the issue HBASE-7518 Move AuthResult out of AccessController

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates to

          Umbrella - An overarching type made of sub-tasks HBASE-6096 AccessController v2

          • Major - Major loss of function.
          • Closed

          Activity

            People

              mbertozzi Matteo Bertozzi
              vanzin Marcelo Masiero Vanzin
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: