This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new df6467e RANGER-3103 : Ranger KMS should log full UGI principal
df6467e is described below
commit df6467e2581d686496ae75625d455aadeaa45864
Author: mateenmansoori <ma3naus...@gmail.com>
AuthorDate: Mon Jun 14 20:08:27 2021 +0530
RANGER-3103 : Ranger KMS should log full UGI principal
Signed-off-by: Mehul Parikh <me...@apache.org>
---
.../hadoop/crypto/key/kms/server/KMSAudit.java | 2 +-
.../crypto/key/kms/server/KMSAuditLogger.java | 2 +-
.../hadoop/crypto/key/kms/server/TestKMSAudit.java | 58 ++++++++++------------
3 files changed, 28 insertions(+), 34 deletions(-)
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
index 3035a45..281ff45 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAudit.java
@@ -191,7 +191,7 @@ public class KMSAudit {
private void op(final OpStatus opStatus, final Object op,
final UserGroupInformation ugi, final String key, final String
remoteHost,
final String extraMsg) {
- final String user = ugi == null ? null: ugi.getShortUserName();
+ final String user = ugi == null ? null: ugi.getUserName();
if (!Strings.isNullOrEmpty(user) && !Strings.isNullOrEmpty(key)
&& (op != null)
&& AGGREGATE_OPS_WHITELIST.contains(op)) {
diff --git
a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuditLogger.java
b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuditLogger.java
index f03ece7..8ae2ea3 100644
---
a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuditLogger.java
+++
b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuditLogger.java
@@ -77,7 +77,7 @@ interface KMSAuditLogger {
this.user = null;
this.impersonator = null;
} else {
- this.user = ugi.getShortUserName();
+ this.user = ugi.getUserName();
if (ugi.getAuthenticationMethod()
== UserGroupInformation.AuthenticationMethod.PROXY) {
this.impersonator = ugi.getRealUser().getUserName();
diff --git
a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
index ec51bf8..ab53938 100644
---
a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
+++
b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSAudit.java
@@ -34,7 +34,6 @@ import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.Timeout;
-import org.mockito.Mockito;
import org.mockito.internal.util.reflection.Whitebox;
public class TestKMSAudit {
@@ -45,6 +44,7 @@ public class TestKMSAudit {
private PrintStream capturedOut;
private KMSAudit kmsAudit;
+ private UserGroupInformation luser =
UserGroupInformation.createUserForTesting("luser@REALM", new String[0]);
private static class FilterOut extends FilterOutputStream {
public FilterOut(OutputStream out) {
@@ -91,8 +91,6 @@ public class TestKMSAudit {
@Test
@SuppressWarnings("checkstyle:linelength")
public void testAggregation() throws Exception {
- UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
- Mockito.when(luser.getShortUserName()).thenReturn("luser");
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
@@ -116,25 +114,23 @@ public class TestKMSAudit {
System.out.println(out);
Assert.assertTrue(
out.matches(
- "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
+ "OK\\[op=DECRYPT_EEK, key=k1, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
// Not aggregated !!
- + "OK\\[op=DELETE_KEY, key=k1, user=luser\\] testmsg"
- + "OK\\[op=ROLL_NEW_VERSION, key=k1, user=luser\\] testmsg"
- + "OK\\[op=INVALIDATE_CACHE, key=k1, user=luser\\] testmsg"
+ + "OK\\[op=DELETE_KEY, key=k1, user=luser@REALM\\] testmsg"
+ + "OK\\[op=ROLL_NEW_VERSION, key=k1, user=luser@REALM\\] testmsg"
+ + "OK\\[op=INVALIDATE_CACHE, key=k1, user=luser@REALM\\] testmsg"
// Aggregated
- + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=6,
interval=[^m]{1,4}ms\\] testmsg"
- + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
- + "OK\\[op=REENCRYPT_EEK, key=k1, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
- + "OK\\[op=REENCRYPT_EEK, key=k1, user=luser, accessCount=3,
interval=[^m]{1,4}ms\\] testmsg"
- + "OK\\[op=REENCRYPT_EEK_BATCH, key=k1, user=luser\\] testmsg"
- + "OK\\[op=REENCRYPT_EEK_BATCH, key=k1, user=luser\\] testmsg"));
+ + "OK\\[op=DECRYPT_EEK, key=k1, user=luser@REALM, accessCount=6,
interval=[^m]{1,4}ms\\] testmsg"
+ + "OK\\[op=DECRYPT_EEK, key=k1, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
+ + "OK\\[op=REENCRYPT_EEK, key=k1, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
+ + "OK\\[op=REENCRYPT_EEK, key=k1, user=luser@REALM, accessCount=3,
interval=[^m]{1,4}ms\\] testmsg"
+ + "OK\\[op=REENCRYPT_EEK_BATCH, key=k1, user=luser@REALM\\]
testmsg"
+ + "OK\\[op=REENCRYPT_EEK_BATCH, key=k1, user=luser@REALM\\]
testmsg"));
}
@Test
@SuppressWarnings("checkstyle:linelength")
public void testAggregationUnauth() throws Exception {
- UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
- Mockito.when(luser.getShortUserName()).thenReturn("luser");
kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
kmsAudit.evictCacheForTesting();
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
@@ -154,22 +150,20 @@ public class TestKMSAudit {
// the aggregated OK is arbitrary - no correctness concerns, but flaky
here.
Assert.assertTrue(
out.matches(
- "UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
- + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
- + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5,
interval=[^m]{1,4}ms\\] testmsg"
- + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
- + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg")
- || out.matches("UNAUTHORIZED\\[op=GENERATE_EEK, key=k2,
user=luser\\] "
- + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
- + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
- + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5,
interval=[^m]{1,4}ms\\] testmsg"
- + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"));
+ "UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser@REALM\\] "
+ + "OK\\[op=GENERATE_EEK, key=k3, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
+ + "OK\\[op=GENERATE_EEK, key=k3, user=luser@REALM, accessCount=5,
interval=[^m]{1,4}ms\\] testmsg"
+ + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser@REALM\\] "
+ + "OK\\[op=GENERATE_EEK, key=k3, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg")
+ || out.matches("UNAUTHORIZED\\[op=GENERATE_EEK, key=k2,
user=luser@REALM\\] "
+ + "OK\\[op=GENERATE_EEK, key=k3, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
+ + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser@REALM\\] "
+ + "OK\\[op=GENERATE_EEK, key=k3, user=luser@REALM, accessCount=5,
interval=[^m]{1,4}ms\\] testmsg"
+ + "OK\\[op=GENERATE_EEK, key=k3, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"));
}
@Test
public void testAuditLogFormat() throws Exception {
- UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
- Mockito.when(luser.getShortUserName()).thenReturn("luser");
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k4", "testmsg");
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "testmsg");
kmsAudit.evictCacheForTesting();
@@ -179,11 +173,11 @@ public class TestKMSAudit {
String out = getAndResetLogOutput();
System.out.println(out);
Assert.assertTrue(out.matches(
- "OK\\[op=GENERATE_EEK, key=k4, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
- + "OK\\[op=GENERATE_EEK, user=luser\\] testmsg"
- + "OK\\[op=GENERATE_EEK, key=k4, user=luser, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
- + "UNAUTHORIZED\\[op=DECRYPT_EEK, key=k4, user=luser\\] "
- + "ERROR\\[user=luser\\] Method:'method' Exception:'testmsg'"
+ "OK\\[op=GENERATE_EEK, key=k4, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
+ + "OK\\[op=GENERATE_EEK, user=luser@REALM\\] testmsg"
+ + "OK\\[op=GENERATE_EEK, key=k4, user=luser@REALM, accessCount=1,
interval=[^m]{1,4}ms\\] testmsg"
+ + "UNAUTHORIZED\\[op=DECRYPT_EEK, key=k4, user=luser@REALM\\] "
+ + "ERROR\\[user=luser@REALM\\] Method:'method' Exception:'testmsg'"
+ "UNAUTHENTICATED RemoteHost:remotehost Method:method URL:url
ErrorMsg:'testmsg'"));
}
