HBASE-26517 Add auth method information to AccessChecker audit log (#3897)

Signed-off-by: Duo Zhang <zhangduo@apache.org>
2021-12-04 23:59:29 +09:00 · 2021-12-04 23:59:29 +09:00 · 45347bb81a
parent 1d4b0cb46f
commit 45347bb81a
1 changed files with 8 additions and 3 deletions
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessChecker.java
@ -47,6 +47,7 @@ import org.apache.hadoop.hbase.security.access.Permission.Action;
 import org.apache.hadoop.hbase.util.Bytes;
 import org.apache.hadoop.security.Groups;
 import org.apache.hadoop.security.HadoopKerberosName;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.yetus.audience.InterfaceAudience;
 import org.apache.yetus.audience.InterfaceStability;
 import org.slf4j.Logger;
@ -366,12 +367,16 @@ public class AccessChecker {
  public static void logResult(AuthResult result) {
    if (AUDITLOG.isTraceEnabled()) {
      User user = result.getUser();
      UserGroupInformation ugi = user != null ? user.getUGI() : null;
      AUDITLOG.trace(
-        "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {}",
+        "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {};" +
          "auth method: {}",
        (result.isAllowed() ? "allowed" : "denied"),
-        (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN"),
+        (user != null ? user.getShortName() : "UNKNOWN"),
        result.getReason(), RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""),
-        result.getRequest(), result.toContextString());
+        result.getRequest(), result.toContextString(),
        ugi != null ? ugi.getAuthenticationMethod() : "UNKNOWN");
    }
  }