[jira] [Commented] (EAGLE-96) Support activity monitoring for Knox

Senthilkumar (JIRA) Thu, 21 Jan 2016 22:55:11 -0800

    [ 
https://issues.apache.org/jira/browse/EAGLE-96?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15112027#comment-15112027
 ]


Senthilkumar commented on EAGLE-96:
-----------------------------------

Sample gateway logs:

>> #1 CAN BE USED FOR MONITORING INBOUND REQUESTS TO KNOX
>> REQUEST TO KNOX GATEWAY

2015-11-24 18:56:59,985 DEBUG server.Server (Server.java:handle(365)) - REQUEST 
/gateway/sandbox/webhdfs/v1/tmp/knox on 
AsyncHttpConnection@267d7dc4,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-5,l=3,c=0},r=1
2015-11-24 18:56:59,985 DEBUG server.session (SessionHandler.java:doScope(187)) 
- sessionManager=org.eclipse.jetty.server.session.HashSessionManager@533824d3

>> #2 WHICH USER IS TRYING TO REQUEST THE SERVICE
>> AUTHENTICATING USER AGAINST LDAPS SERVER

2015-11-24 18:56:59,986 DEBUG authc.BasicHttpAuthenticationFilter 
(BasicHttpAuthenticationFilter.java:createToken(308)) - Attempting to execute 
login with headers [Basic bXVya3Jpc2huYTpNM2VpejAhJCM=]
2015-11-24 18:56:59,987 DEBUG ldap.JndiLdapRealm 
(JndiLdapRealm.java:queryForAuthenticationInfo(369)) - Authenticating user 
'murkrishna' through LDAP

>> #3 AUTHENTICATION DONE AGAINST WHICH SERVER AND WITH WHICH USER DOMAIN
>> userDN and LDAPS SERVER DETAILS WHERE AUTH TAKES PLACE

2015-11-24 18:56:59,987 INFO  hadoop.gateway 
(KnoxLdapRealm.java:getUserDn(513)) - Computed userDn: 
uid=murkrishna,ou=People,dc=ebay,dc=com using dnTemplate for principal: 
murkrishna
2015-11-24 18:56:59,987 DEBUG ldap.JndiLdapContextFactory 
(JndiLdapContextFactory.java:getLdapContext(488)) - Initializing LDAP context 
using URL [ldaps://phxldap06.phx.ebay.com:636] and principal 
[uid=murkrishna,ou=People,dc=ebay,dc=com] with pooling disabled
2015-11-24 18:57:00,022 DEBUG realm.AuthenticatingRealm 
(AuthenticatingRealm.java:getAuthenticationInfo(569)) - Looked up 
AuthenticationInfo [murkrishna] from doGetAuthenticationInfo
2015-11-24 18:57:00,022 DEBUG realm.AuthenticatingRealm 
(AuthenticatingRealm.java:cacheAuthenticationInfoIfPossible(507)) - 
AuthenticationInfo caching is disabled for info [murkrishna].  Submitted token: 
[org.apache.shiro.authc.UsernamePasswordToken - murkrishna, rememberMe=false 
(10.115.42.50)].
2015-11-24 18:57:00,023 DEBUG authc.AbstractAuthenticator

>> #4 AUTH RESULT

AbstractAuthenticator.java:authenticate(231)) - Authentication successful for 
token [org.apache.shiro.authc.UsernamePasswordToken - murkrishna, 
rememberMe=false (10.115.42.50)].  Returned account [murkrishna]

>> #5 HADOOP SERVICE CALL DETAILS
>> ESTABLISH CONNECTION TO THE NODE WHERE THE ACTUAL SERVICE CALL TAKES PLACE

2015-11-24 18:57:00,029 DEBUG conn.BasicClientConnectionManager 
(BasicClientConnectionManager.java:getConnection(159)) - Get connection for 
route {}->http://phx4b03c-378d.stratus.phx.ebay.com:50070
2015-11-24 18:57:00,029 DEBUG conn.DefaultClientConnectionOperator 
(DefaultClientConnectionOperator.java:openConnection(177)) - Connecting to 
phx4b03c-378d.stratus.phx.ebay.com:50070

>> AFTER SUCCESSFUL AUTHENTICATION, FORWARDING THE REQUEST TO THE ACTUAL 
>> SERVICE URL.. IN THIS CASE WebHDFS CALL.. PAYLOAD AND OTHER DETAILS OF THE 
>> REQUEST
>> CAN EXTRACT WHICH USER IS TRYING TO ACCESS WHICH FOLDER IN THIS CASE OF 
>> WebHDFS. SIMILAR DETAILS CAN BE GOT FROM USING HBase/Oozie SERVICES.

2015-11-24 18:57:00,031 DEBUG client.DefaultHttpClient 
(DefaultRequestDirector.java:tryExecute(713)) - Attempt 1 to execute request
2015-11-24 18:57:00,031 DEBUG conn.DefaultClientConnection 
(DefaultClientConnection.java:sendRequestHeader(269)) - Sending request: GET 
/webhdfs/v1/tmp/knox?user.name=murkrishna&op=LISTSTATUS HTTP/1.1
2015-11-24 18:57:00,031 DEBUG http.wire (Wire.java:wire(63)) - >> "GET 
/webhdfs/v1/tmp/knox?user.name=murkrishna&op=LISTSTATUS HTTP/1.1[\r][\n]"
2015-11-24 18:57:00,032 DEBUG http.wire (Wire.java:wire(63)) - >> "Accept: 
*/*[\r][\n]"
2015-11-24 18:57:00,032 DEBUG http.wire (Wire.java:wire(63)) - >> "User-Agent: 
curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 
libidn/1.18 libssh2/1.2.2[\r][\n]"
2015-11-24 18:57:00,032 DEBUG http.wire (Wire.java:wire(63)) - >> "Host: 
phx4b03c-378d.stratus.phx.ebay.com:50070[\r][\n]"
2015-11-24 18:57:00,032 DEBUG http.wire (Wire.java:wire(63)) - >> "Connection: 
Keep-Alive[\r][\n]"


We need to explore Knox audit/gateway logs to see all attributes like who 
requested ? URI etcc...

Above logs has all information but this requires combining three events 
together to grep user , uri , status etc... 

> Support activity monitoring for Knox
> ------------------------------------
>
>                 Key: EAGLE-96
>                 URL: https://issues.apache.org/jira/browse/EAGLE-96
>             Project: Eagle
>          Issue Type: Bug
>            Reporter: Arun Manoharan
>            Assignee: Senthilkumar
>
> The Knox Gateway provides a single access point for all REST interactions 
> with Hadoop clusters. It will be valuable to monitor the access events 
> happening in knox gateway and see if there is an anomaly and generate an 
> alert. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (EAGLE-96) Support activity monitoring for Knox

Reply via email to