[HADOOP-13693] Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.0-alpha2
Component/s: kms
Labels:
- supportability

Target Version/s:

3.0.0-alpha2
Hadoop Flags:

Incompatible change, Reviewed
Release Note:
kms-audit.log used to show an UNAUTHENTICATED message even for successful operations, because of the OPTIONS HTTP request during SPNEGO initial handshake. This message brings more confusion than help, and has hence been removed.

Description

For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED ErrorMsg:'Authentication required' message before the OK messages. This is expected, and due to the spnego authentication sequence. (Notice method == OPTIONS)

2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt ErrorMsg:'Authentication required'
2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=0ms] 
2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=10193ms]

However, admins/auditors see this and can easily get confused/alerted. We should make it obvious this is benign.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-13693.02.patch
14/Oct/16 23:45
1 kB
Xiao Chen
HADOOP-13693.01.patch
07/Oct/16 00:36
1 kB
Xiao Chen

Issue Links

is duplicated by

HDFS-10428 Kms server UNAUTHENTICATED

Resolved

Activity

People

Assignee:: Xiao Chen

Reporter:: Xiao Chen

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 07/Oct/16 00:14

Updated:: 14/Nov/16 05:09

Resolved:: 19/Oct/16 01:29