Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-22759

Add user info to AUDITLOG events when doing grant/revoke

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 2.2.0, 2.1.5
    • Fix Version/s: 3.0.0, 2.3.0, 2.2.1, 2.1.6
    • Component/s: logging, security
    • Labels:
      None

      Description

      On branch-2.1 the AUDITLOG events is raised like this:

      AUDITLOG.trace("Granted permission " + perm.toString());

      I'd like to extend this line with "caller" user info like this:

      AUDITLOG.trace("User {} granted permission {}", caller, perm.toString());

      Similar change is proposed for Revoke event.

      On branch-2.2+ grant() and revoke() methods in AccessController have been deprecated and logic was moved to MasterRpcServices, but that class doesn't do any audit logging. I'm not sure about why audit logging has been removed and about any replacement in the refactored logic, but Audit logging is a crucial security tool in our environment to track change events on ACLs.

      I'm planning to add AUDITLOG to MasterRpcServices to bring back this functionality, but please FIXME and point me in the right direction if needed.

        Attachments

          Activity

            People

            • Assignee:
              andor Andor Molnar
              Reporter:
              andor Andor Molnar
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: