Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke

This commit is contained in:
Andor Molnár 2019-08-07 11:06:30 +02:00 committed by Peter Somogyi
parent a80294809b
commit 07c6bb16e7
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
View File

@ -344,6 +344,8 @@ public class MasterRpcServices extends RSRpcServices
implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface,
LockService.BlockingInterface, HbckService.BlockingInterface {
private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName());
private static final Logger AUDITLOG =
LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());
private final HMaster master;
@ -2608,6 +2610,13 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) {
master.cpHost.postGrant(perm, mergeExistingPermissions);
}
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should store permission changes in addition to auth results
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress,
perm);
}
return GrantResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);
@ -2629,6 +2638,13 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission);
}
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress,
userPermission);
}
return RevokeResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);