HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke

This commit is contained in:
Andor Molnár 2019-08-07 11:06:30 +02:00 committed by Peter Somogyi
parent a80294809b
commit 07c6bb16e7
1 changed files with 16 additions and 0 deletions

View File

@ -344,6 +344,8 @@ public class MasterRpcServices extends RSRpcServices
implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface, implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface,
LockService.BlockingInterface, HbckService.BlockingInterface { LockService.BlockingInterface, HbckService.BlockingInterface {
private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName()); private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName());
private static final Logger AUDITLOG =
LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());
private final HMaster master; private final HMaster master;
@ -2608,6 +2610,13 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) { if (master.cpHost != null) {
master.cpHost.postGrant(perm, mergeExistingPermissions); master.cpHost.postGrant(perm, mergeExistingPermissions);
} }
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should store permission changes in addition to auth results
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress,
perm);
}
return GrantResponse.getDefaultInstance(); return GrantResponse.getDefaultInstance();
} catch (IOException ioe) { } catch (IOException ioe) {
throw new ServiceException(ioe); throw new ServiceException(ioe);
@ -2629,6 +2638,13 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) { if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission); master.cpHost.postRevoke(userPermission);
} }
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress,
userPermission);
}
return RevokeResponse.getDefaultInstance(); return RevokeResponse.getDefaultInstance();
} catch (IOException ioe) { } catch (IOException ioe) {
throw new ServiceException(ioe); throw new ServiceException(ioe);