From 1df5bcad825f7cdc02f5d8c233e794094bec08fe Mon Sep 17 00:00:00 2001 From: Andrew Kyle Purtell Date: Thu, 17 May 2012 19:36:42 +0000 Subject: [PATCH] HBASE-6010. Security audit logger configuration for log4j git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1339817 13f79535-47bb-0310-9956-ffa450edef68 --- bin/hbase | 7 +++++++ bin/hbase-daemon.sh | 1 + conf/log4j.properties | 20 ++++++++++++++++++++ 3 files changed, 28 insertions(+) diff --git a/bin/hbase b/bin/hbase index 1a7ad3786bb..8921a8a4866 100755 --- a/bin/hbase +++ b/bin/hbase @@ -325,6 +325,13 @@ if [ "x$JAVA_LIBRARY_PATH" != "x" ]; then HBASE_OPTS="$HBASE_OPTS -Djava.library.path=$JAVA_LIBRARY_PATH" fi +# Enable security logging on the master and regionserver only +if [ "$COMMAND" = "master" ] || [ "$COMMAND" = "regionserver" ]; then + HBASE_OPTS="$HBASE_OPTS -Dhbase.security.logger=${HBASE_SECURITY_LOGGER:-INFO,RFAS}" +else + HBASE_OPTS="$HBASE_OPTS -Dhbase.security.logger=${HBASE_SECURITY_LOGGER:-INFO,NullAppender}" +fi + # Exec unless HBASE_NOEXEC is set. if [ "${HBASE_NOEXEC}" != "" ]; then "$JAVA" -XX:OnOutOfMemoryError="kill -9 %p" $JAVA_HEAP_MAX $HBASE_OPTS -classpath "$CLASSPATH" $CLASS "$@" diff --git a/bin/hbase-daemon.sh b/bin/hbase-daemon.sh index 07623130211..74206b53716 100755 --- a/bin/hbase-daemon.sh +++ b/bin/hbase-daemon.sh @@ -138,6 +138,7 @@ JAVA=$JAVA_HOME/bin/java export HBASE_LOG_PREFIX=hbase-$HBASE_IDENT_STRING-$command-$HOSTNAME export HBASE_LOGFILE=$HBASE_LOG_PREFIX.log export HBASE_ROOT_LOGGER=${HBASE_ROOT_LOGGER:-"INFO,RFA"} +export HBASE_SECURITY_LOGGER=${HBASE_SECURITY_LOGGER:-"INFO,RFAS"} logout=$HBASE_LOG_DIR/$HBASE_LOG_PREFIX.out loggc=$HBASE_LOG_DIR/$HBASE_LOG_PREFIX.gc loglog="${HBASE_LOG_DIR}/${HBASE_LOGFILE}" diff --git a/conf/log4j.properties b/conf/log4j.properties index d829fcdf05b..5ed686a01f8 100644 --- a/conf/log4j.properties +++ b/conf/log4j.properties @@ -1,5 +1,6 @@ # Define some default values that can be overridden by system properties hbase.root.logger=INFO,console +hbase.security.logger=INFO,console hbase.log.dir=. hbase.log.file=hbase.log @@ -43,6 +44,25 @@ log4j.appender.RFA.layout.ConversionPattern=%d{ISO8601} %p %c: %m%n # Debugging Pattern format #log4j.appender.DRFA.layout.ConversionPattern=%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n +# +# Security audit appender +# +hbase.security.log.file=SecurityAuth.audit +hbase.security.log.maxfilesize=256MB +hbase.security.log.maxbackupindex=20 +log4j.appender.RFAS=org.apache.log4j.RollingFileAppender +log4j.appender.RFAS.File=${hbase.log.dir}/${hbase.security.log.file} +log4j.appender.RFAS.MaxFileSize=${hbase.security.log.maxfilesize} +log4j.appender.RFAS.MaxBackupIndex=${hbase.security.log.maxbackupindex} +log4j.appender.RFAS.layout=org.apache.log4j.PatternLayout +log4j.appender.RFAS.layout.ConversionPattern=%d{ISO8601} %p %c: %m%n +log4j.category.SecurityLogger=${hbase.security.logger} +log4j.additivity.SecurityLogger=false + +# +# Null Appender +# +log4j.appender.NullAppender=org.apache.log4j.varia.NullAppender # # console