From db09a5e8eb25a55924e1cc89f2c200cdd7983521 Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Mon, 12 Jan 2015 17:55:12 +0530 Subject: [PATCH] HBASE-12831 Changing the set of vis labels a user has access to doesn't generate an audit log event --- conf/log4j.properties | 1 + .../security/visibility/VisibilityController.java | 39 ++++++++++++++++++---- 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/conf/log4j.properties b/conf/log4j.properties index 4e8f145..472fc03 100644 --- a/conf/log4j.properties +++ b/conf/log4j.properties @@ -55,6 +55,7 @@ log4j.appender.RFAS.layout.ConversionPattern=%d{ISO8601} %p %c: %m%n log4j.category.SecurityLogger=${hbase.security.logger} log4j.additivity.SecurityLogger=false #log4j.logger.SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController=TRACE +#log4j.logger.SecurityLogger.org.apache.hadoop.hbase.security.visibility.VisibilityController=TRACE # # Null Appender diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java index 9deeca3..a9f21c4 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java @@ -119,6 +119,8 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements VisibilityLabelsService.Interface, CoprocessorService { private static final Log LOG = LogFactory.getLog(VisibilityController.class); + private static final Log AUDITLOG = LogFactory.getLog("SecurityLogger." + + VisibilityController.class.getName()); // flags if we are running on a region of the 'labels' table private boolean labelsRegion = false; // Flag denoting whether AcessController is available or not. @@ -729,15 +731,20 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements try { checkCallingUserAuth(); List labels = new ArrayList(visLabels.size()); + List labelsStr = new ArrayList(visLabels.size()); RegionActionResult successResult = RegionActionResult.newBuilder().build(); for (VisibilityLabel visLabel : visLabels) { byte[] label = visLabel.getLabel().toByteArray(); labels.add(label); + labelsStr.add(Bytes.toString(label)); response.addResult(successResult); // Just mark as success. Later it will get reset // based on the result from // visibilityLabelService.addLabels () } if (!labels.isEmpty()) { + if (AUDITLOG.isTraceEnabled()) { + AUDITLOG.trace("Add labels: " + labelsStr); + } OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels); int i = 0; for (OperationStatus status : opStatus) { @@ -783,11 +790,18 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements try { checkCallingUserAuth(); List labelAuths = new ArrayList(auths.size()); + List labelAuthsStr = new ArrayList(auths.size()); for (ByteString authBS : auths) { - labelAuths.add(authBS.toByteArray()); + byte[] auth = authBS.toByteArray(); + labelAuths.add(auth); + labelAuthsStr.add(Bytes.toString(auth)); + } + byte[] user = request.getUser().toByteArray(); + if (AUDITLOG.isTraceEnabled()) { + AUDITLOG.trace("Set authorization for labels: " + labelAuthsStr + " to user " + + Bytes.toString(user)); } - OperationStatus[] opStatus = this.visibilityLabelService.setAuths(request.getUser() - .toByteArray(), labelAuths); + OperationStatus[] opStatus = this.visibilityLabelService.setAuths(user, labelAuths); RegionActionResult successResult = RegionActionResult.newBuilder().build(); for (OperationStatus status : opStatus) { if (status.getOperationStatusCode() == SUCCESS) { @@ -825,6 +839,9 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements + (requestingUser != null ? requestingUser.getShortName() : "null") + "' is not authorized to perform this action."); } + if (AUDITLOG.isTraceEnabled()) { + AUDITLOG.trace("Get authorizations for user: " + Bytes.toString(user)); + } labels = this.visibilityLabelService.getAuths(user, false); } catch (IOException e) { ResponseConverter.setControllerException(controller, e); @@ -858,11 +875,18 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements checkCallingUserAuth(); // When AC is not in place the calling user should have SYSTEM_LABEL // auth to do this action. List labelAuths = new ArrayList(auths.size()); + List labelAuthsStr = new ArrayList(auths.size()); for (ByteString authBS : auths) { - labelAuths.add(authBS.toByteArray()); + byte[] auth = authBS.toByteArray(); + labelAuths.add(auth); + labelAuthsStr.add(Bytes.toString(auth)); } - OperationStatus[] opStatus = this.visibilityLabelService.clearAuths(request.getUser() - .toByteArray(), labelAuths); + byte[] user = request.getUser().toByteArray(); + if (AUDITLOG.isTraceEnabled()) { + AUDITLOG.trace("Remove authorization for labels: " + labelAuthsStr + " for user " + + Bytes.toString(user)); + } + OperationStatus[] opStatus = this.visibilityLabelService.clearAuths(user, labelAuths); RegionActionResult successResult = RegionActionResult.newBuilder().build(); for (OperationStatus status : opStatus) { if (status.getOperationStatusCode() == SUCCESS) { @@ -900,6 +924,9 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements + "' is not authorized to perform this action."); } String regex = request.hasRegex() ? request.getRegex() : null; + if (AUDITLOG.isTraceEnabled()) { + AUDITLOG.trace("List labels matching regex: " + regex); + } labels = this.visibilityLabelService.listLabels(regex); } catch (IOException e) { ResponseConverter.setControllerException(controller, e); -- 1.9.2.msysgit.0