Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13693

Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0-alpha2
    • Component/s: kms
    • Labels:
    • Target Version/s:
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      kms-audit.log used to show an UNAUTHENTICATED message even for successful operations, because of the OPTIONS HTTP request during SPNEGO initial handshake. This message brings more confusion than help, and has hence been removed.

      Description

      For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED ErrorMsg:'Authentication required' message before the OK messages. This is expected, and due to the spnego authentication sequence. (Notice method == OPTIONS)

      2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt ErrorMsg:'Authentication required'
      2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=0ms] 
      2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=10193ms] 
      

      However, admins/auditors see this and can easily get confused/alerted. We should make it obvious this is benign.

        Attachments

        1. HADOOP-13693.01.patch
          1 kB
          Xiao Chen
        2. HADOOP-13693.02.patch
          1 kB
          Xiao Chen

        Issue Links

          Activity

            People

            • Assignee:
              xiaochen Xiao Chen
              Reporter:
              xiaochen Xiao Chen

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment