Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke

This commit is contained in:
Andor Molnár 2019-08-07 11:06:30 +02:00 committed by Peter Somogyi
parent 328d1073a5
commit cc4b5103de
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
View File

@ -340,6 +340,8 @@ public class MasterRpcServices extends RSRpcServices
implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface, implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface,
LockService.BlockingInterface, HbckService.BlockingInterface { LockService.BlockingInterface, HbckService.BlockingInterface {
private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName()); private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName());
private static final Logger AUDITLOG =
LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());
private final HMaster master; private final HMaster master;
@ -2574,6 +2576,13 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) { if (master.cpHost != null) {
master.cpHost.postGrant(perm, mergeExistingPermissions); master.cpHost.postGrant(perm, mergeExistingPermissions);
} }
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should store permission changes in addition to auth results
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress,
perm);
}
return GrantResponse.getDefaultInstance(); return GrantResponse.getDefaultInstance();
} catch (IOException ioe) { } catch (IOException ioe) {
throw new ServiceException(ioe); throw new ServiceException(ioe);
@ -2595,6 +2604,13 @@ public class MasterRpcServices extends RSRpcServices
if (master.cpHost != null) { if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission); master.cpHost.postRevoke(userPermission);
} }
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress,
userPermission);
}
return RevokeResponse.getDefaultInstance(); return RevokeResponse.getDefaultInstance();
} catch (IOException ioe) { } catch (IOException ioe) {
throw new ServiceException(ioe); throw new ServiceException(ioe);