[jira] [Commented] (HADOOP-13693) Make the SPNEGO initialization OPTIONS message in kms audit log admin-friendly

Fri, 14 Oct 2016 15:42:51 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15576773#comment-15576773
 ] 

Andrew Wang commented on HADOOP-13693:
--------------------------------------

I think since this OPTIONS call is unrelated to any actual KMS-level operation, 
it doesn't belong in the audit log. Especially since this UNAUTHENTICATED is 
part of the happy path of authenticating with the KMS.

We can consider moving this information to kms.log instead, but it seems spammy 
even there. My 2c is to just remove it.

> Make the SPNEGO initialization OPTIONS message in kms audit log admin-friendly
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-13693
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13693
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>            Priority: Minor
>         Attachments: HADOOP-13693.01.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED 
> ErrorMsg:'Authentication required' message before the OK messages. This is 
> expected, and due to the spnego authentication sequence. (Notice method == 
> {{OPTIONS}})
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS 
> URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
>  ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, 
> accessCount=1, interval=0ms] 
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, 
> accessCount=1, interval=10193ms] 
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We 
> should make it obvious this is benign.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to