Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13693

Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0-alpha2
    • Component/s: kms
    • Labels:
    • Target Version/s:
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      kms-audit.log used to show an UNAUTHENTICATED message even for successful operations, because of the OPTIONS HTTP request during SPNEGO initial handshake. This message brings more confusion than help, and has hence been removed.

      Description

      For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED ErrorMsg:'Authentication required' message before the OK messages. This is expected, and due to the spnego authentication sequence. (Notice method == OPTIONS)

      2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt ErrorMsg:'Authentication required'
      2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=0ms] 
      2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=10193ms] 
      

      However, admins/auditors see this and can easily get confused/alerted. We should make it obvious this is benign.

      1. HADOOP-13693.01.patch
        1 kB
        Xiao Chen
      2. HADOOP-13693.02.patch
        1 kB
        Xiao Chen

        Issue Links

          Activity

          Hide
          xiaochen Xiao Chen added a comment -

          This is audit log, so incompatible by default.
          We have several choices to improve:

          1. since this is an OPTIONS http method, maybe we can hence not log it into audit logs.
          2. change the AuthenticationFilter to no longer return an error for this type of requests.
          3. update the audit message to give better context.

          IMO logging is theoretically correct, and changing the server code feels risky. So posting a patch to do #3 here.
          Xiaoyu Yao, I see you helped resolving the linked HDFS-10428. What's your opinion about this one? Also ping Arun Suresh for input. Thank you both in advance.

          Show
          xiaochen Xiao Chen added a comment - This is audit log, so incompatible by default. We have several choices to improve: since this is an OPTIONS http method, maybe we can hence not log it into audit logs. change the AuthenticationFilter to no longer return an error for this type of requests. update the audit message to give better context. IMO logging is theoretically correct, and changing the server code feels risky. So posting a patch to do #3 here. Xiaoyu Yao , I see you helped resolving the linked HDFS-10428 . What's your opinion about this one? Also ping Arun Suresh for input. Thank you both in advance.
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 15s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 7m 11s trunk passed
          +1 compile 7m 11s trunk passed
          +1 checkstyle 0m 12s trunk passed
          +1 mvnsite 0m 19s trunk passed
          +1 mvneclipse 0m 12s trunk passed
          +1 findbugs 0m 23s trunk passed
          +1 javadoc 0m 12s trunk passed
          +1 mvninstall 0m 16s the patch passed
          +1 compile 7m 10s the patch passed
          +1 javac 7m 10s the patch passed
          +1 checkstyle 0m 13s the patch passed
          +1 mvnsite 0m 19s the patch passed
          +1 mvneclipse 0m 12s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 0m 31s the patch passed
          +1 javadoc 0m 12s the patch passed
          +1 unit 2m 6s hadoop-kms in the patch passed.
          +1 asflicense 0m 21s The patch does not generate ASF License warnings.
          28m 38s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:9560f25
          JIRA Issue HADOOP-13693
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12832066/HADOOP-13693.01.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux e6f62ecb0386 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / bf37217
          Default Java 1.8.0_101
          findbugs v3.0.0
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10699/testReport/
          modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10699/console
          Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 15s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 7m 11s trunk passed +1 compile 7m 11s trunk passed +1 checkstyle 0m 12s trunk passed +1 mvnsite 0m 19s trunk passed +1 mvneclipse 0m 12s trunk passed +1 findbugs 0m 23s trunk passed +1 javadoc 0m 12s trunk passed +1 mvninstall 0m 16s the patch passed +1 compile 7m 10s the patch passed +1 javac 7m 10s the patch passed +1 checkstyle 0m 13s the patch passed +1 mvnsite 0m 19s the patch passed +1 mvneclipse 0m 12s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 0m 31s the patch passed +1 javadoc 0m 12s the patch passed +1 unit 2m 6s hadoop-kms in the patch passed. +1 asflicense 0m 21s The patch does not generate ASF License warnings. 28m 38s Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Issue HADOOP-13693 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12832066/HADOOP-13693.01.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux e6f62ecb0386 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / bf37217 Default Java 1.8.0_101 findbugs v3.0.0 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10699/testReport/ modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10699/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          andrew.wang Andrew Wang added a comment -

          I think since this OPTIONS call is unrelated to any actual KMS-level operation, it doesn't belong in the audit log. Especially since this UNAUTHENTICATED is part of the happy path of authenticating with the KMS.

          We can consider moving this information to kms.log instead, but it seems spammy even there. My 2c is to just remove it.

          Show
          andrew.wang Andrew Wang added a comment - I think since this OPTIONS call is unrelated to any actual KMS-level operation, it doesn't belong in the audit log. Especially since this UNAUTHENTICATED is part of the happy path of authenticating with the KMS. We can consider moving this information to kms.log instead, but it seems spammy even there. My 2c is to just remove it.
          Hide
          xiaochen Xiao Chen added a comment -

          Thanks Andrew Wang for the comment! That makes sense too, since the that audit line isn't helpful in auditing KMS anyway...
          Attaching a patch 2 for this.

          Would love to hear Arun Suresh and Xiaoyu Yao's options as well.

          Show
          xiaochen Xiao Chen added a comment - Thanks Andrew Wang for the comment! That makes sense too, since the that audit line isn't helpful in auditing KMS anyway... Attaching a patch 2 for this. Would love to hear Arun Suresh and Xiaoyu Yao 's options as well.
          Hide
          xyao Xiaoyu Yao added a comment -

          Thanks Xiao Chen working on this and Andrew Wang for the discussion. Remove UNAUTHENTICATED from audit log sounds reasonable to me.

          The 2nd patch attached seems not for this ticket thought. Can you update it?

          Show
          xyao Xiaoyu Yao added a comment - Thanks Xiao Chen working on this and Andrew Wang for the discussion. Remove UNAUTHENTICATED from audit log sounds reasonable to me. The 2nd patch attached seems not for this ticket thought. Can you update it?
          Hide
          xiaochen Xiao Chen added a comment -

          Oops, there you go... Thanks Xiaoyu Yao for the quick response!

          Show
          xiaochen Xiao Chen added a comment - Oops, there you go... Thanks Xiaoyu Yao for the quick response!
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 15s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 6m 43s trunk passed
          +1 compile 6m 49s trunk passed
          +1 checkstyle 0m 17s trunk passed
          +1 mvnsite 0m 19s trunk passed
          +1 mvneclipse 0m 12s trunk passed
          -1 findbugs 0m 22s hadoop-common-project/hadoop-kms in trunk has 2 extant Findbugs warnings.
          +1 javadoc 0m 12s trunk passed
          +1 mvninstall 0m 16s the patch passed
          +1 compile 6m 55s the patch passed
          +1 javac 6m 55s the patch passed
          +1 checkstyle 0m 12s the patch passed
          +1 mvnsite 0m 18s the patch passed
          +1 mvneclipse 0m 12s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 0m 36s the patch passed
          +1 javadoc 0m 12s the patch passed
          +1 unit 2m 7s hadoop-kms in the patch passed.
          +1 asflicense 0m 21s The patch does not generate ASF License warnings.
          27m 41s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:9560f25
          JIRA Issue HADOOP-13693
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12833475/HADOOP-13693.02.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux 74244fa3276f 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 76cc84e
          Default Java 1.8.0_101
          findbugs v3.0.0
          findbugs https://builds.apache.org/job/PreCommit-HADOOP-Build/10800/artifact/patchprocess/branch-findbugs-hadoop-common-project_hadoop-kms-warnings.html
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10800/testReport/
          modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10800/console
          Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 15s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 6m 43s trunk passed +1 compile 6m 49s trunk passed +1 checkstyle 0m 17s trunk passed +1 mvnsite 0m 19s trunk passed +1 mvneclipse 0m 12s trunk passed -1 findbugs 0m 22s hadoop-common-project/hadoop-kms in trunk has 2 extant Findbugs warnings. +1 javadoc 0m 12s trunk passed +1 mvninstall 0m 16s the patch passed +1 compile 6m 55s the patch passed +1 javac 6m 55s the patch passed +1 checkstyle 0m 12s the patch passed +1 mvnsite 0m 18s the patch passed +1 mvneclipse 0m 12s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 0m 36s the patch passed +1 javadoc 0m 12s the patch passed +1 unit 2m 7s hadoop-kms in the patch passed. +1 asflicense 0m 21s The patch does not generate ASF License warnings. 27m 41s Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Issue HADOOP-13693 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12833475/HADOOP-13693.02.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 74244fa3276f 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 76cc84e Default Java 1.8.0_101 findbugs v3.0.0 findbugs https://builds.apache.org/job/PreCommit-HADOOP-Build/10800/artifact/patchprocess/branch-findbugs-hadoop-common-project_hadoop-kms-warnings.html Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10800/testReport/ modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10800/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          andrew.wang Andrew Wang added a comment -

          +1 change looks good for 3.0. Let's wait a bit to commit though in case others have comments.

          Show
          andrew.wang Andrew Wang added a comment - +1 change looks good for 3.0. Let's wait a bit to commit though in case others have comments.
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 17s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
          0 mvndep 0m 7s Maven dependency ordering for branch
          +1 mvninstall 7m 3s trunk passed
          +1 compile 1m 20s trunk passed
          +1 checkstyle 0m 30s trunk passed
          +1 mvnsite 1m 24s trunk passed
          +1 mvneclipse 0m 25s trunk passed
          +1 findbugs 3m 8s trunk passed
          +1 javadoc 1m 1s trunk passed
          0 mvndep 0m 7s Maven dependency ordering for patch
          +1 mvninstall 1m 14s the patch passed
          +1 compile 1m 17s the patch passed
          +1 javac 1m 17s the patch passed
          +1 checkstyle 0m 28s hadoop-hdfs-project: The patch generated 0 new + 94 unchanged - 3 fixed = 94 total (was 97)
          +1 mvnsite 1m 27s the patch passed
          +1 mvneclipse 0m 23s the patch passed
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 findbugs 3m 55s the patch passed
          +1 javadoc 1m 1s the patch passed
          +1 unit 1m 3s hadoop-hdfs-client in the patch passed.
          -1 unit 62m 28s hadoop-hdfs in the patch failed.
          +1 asflicense 0m 19s The patch does not generate ASF License warnings.
          92m 27s



          Reason Tests
          Failed junit tests hadoop.hdfs.server.datanode.TestNNHandlesCombinedBlockReport
            hadoop.hdfs.web.TestWebHDFS
            hadoop.hdfs.server.namenode.TestDiskspaceQuotaUpdate



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:9560f25
          JIRA Issue HADOOP-13693
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12833471/HDFS-11009.02.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
          uname Linux 0d2e6fc90b55 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision trunk / 76cc84e
          Default Java 1.8.0_101
          findbugs v3.0.0
          unit https://builds.apache.org/job/PreCommit-HADOOP-Build/10798/artifact/patchprocess/patch-unit-hadoop-hdfs-project_hadoop-hdfs.txt
          Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10798/testReport/
          modules C: hadoop-hdfs-project/hadoop-hdfs-client hadoop-hdfs-project/hadoop-hdfs U: hadoop-hdfs-project
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10798/console
          Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 17s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. 0 mvndep 0m 7s Maven dependency ordering for branch +1 mvninstall 7m 3s trunk passed +1 compile 1m 20s trunk passed +1 checkstyle 0m 30s trunk passed +1 mvnsite 1m 24s trunk passed +1 mvneclipse 0m 25s trunk passed +1 findbugs 3m 8s trunk passed +1 javadoc 1m 1s trunk passed 0 mvndep 0m 7s Maven dependency ordering for patch +1 mvninstall 1m 14s the patch passed +1 compile 1m 17s the patch passed +1 javac 1m 17s the patch passed +1 checkstyle 0m 28s hadoop-hdfs-project: The patch generated 0 new + 94 unchanged - 3 fixed = 94 total (was 97) +1 mvnsite 1m 27s the patch passed +1 mvneclipse 0m 23s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 3m 55s the patch passed +1 javadoc 1m 1s the patch passed +1 unit 1m 3s hadoop-hdfs-client in the patch passed. -1 unit 62m 28s hadoop-hdfs in the patch failed. +1 asflicense 0m 19s The patch does not generate ASF License warnings. 92m 27s Reason Tests Failed junit tests hadoop.hdfs.server.datanode.TestNNHandlesCombinedBlockReport   hadoop.hdfs.web.TestWebHDFS   hadoop.hdfs.server.namenode.TestDiskspaceQuotaUpdate Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Issue HADOOP-13693 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12833471/HDFS-11009.02.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 0d2e6fc90b55 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 76cc84e Default Java 1.8.0_101 findbugs v3.0.0 unit https://builds.apache.org/job/PreCommit-HADOOP-Build/10798/artifact/patchprocess/patch-unit-hadoop-hdfs-project_hadoop-hdfs.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10798/testReport/ modules C: hadoop-hdfs-project/hadoop-hdfs-client hadoop-hdfs-project/hadoop-hdfs U: hadoop-hdfs-project Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10798/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          xiaochen Xiao Chen added a comment -

          Test failures look unrelated. I plan to commit this on Tuesday PDT if no objections.

          Show
          xiaochen Xiao Chen added a comment - Test failures look unrelated. I plan to commit this on Tuesday PDT if no objections.
          Hide
          asuresh Arun Suresh added a comment -

          I agree.. the UNAUTHENTICATED line is more noise than signal.. Haven't reviewed the patch yet but +1 to removing OPTION messages from the log.

          Show
          asuresh Arun Suresh added a comment - I agree.. the UNAUTHENTICATED line is more noise than signal.. Haven't reviewed the patch yet but +1 to removing OPTION messages from the log.
          Hide
          xiaochen Xiao Chen added a comment -

          Given Andrew's +1 and Arun/Xiaoyu's positive feedback, I plan to commit this later today.

          Show
          xiaochen Xiao Chen added a comment - Given Andrew's +1 and Arun/Xiaoyu's positive feedback, I plan to commit this later today.
          Hide
          xyao Xiaoyu Yao added a comment -

          v02 patch LGTM. +1.

          Show
          xyao Xiaoyu Yao added a comment - v02 patch LGTM. +1.
          Hide
          xiaochen Xiao Chen added a comment - - edited

          Committed to trunk. Thanks Andrew, Xiaoyu and Arun for the review and feedback!

          Show
          xiaochen Xiao Chen added a comment - - edited Committed to trunk. Thanks Andrew, Xiaoyu and Arun for the review and feedback!
          Hide
          hudson Hudson added a comment -

          SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10635 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10635/)
          HADOOP-13693. Remove the message about HTTP OPTIONS in SPNEGO (xiao: rev d75cbc5749808491d2b06f80506d95b6fb1b9e9c)

          • (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
          Show
          hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10635 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10635/ ) HADOOP-13693 . Remove the message about HTTP OPTIONS in SPNEGO (xiao: rev d75cbc5749808491d2b06f80506d95b6fb1b9e9c) (edit) hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java

            People

            • Assignee:
              xiaochen Xiao Chen
              Reporter:
              xiaochen Xiao Chen
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development