[
https://issues.apache.org/jira/browse/HBASE-12831?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14274020#comment-14274020
]
Andrew Purtell commented on HBASE-12831:
----------------------------------------
Can we make this more like the AccessController's audit logging, f.e.:
{code}
AUDITLOG.trace("Access " + (result.isAllowed() ? "allowed" : "denied") +
" for user " + (result.getUser() != null ?
result.getUser().getShortName() : "UNKNOWN") +
"; reason: " + result.getReason() +
"; remote address: " + (remoteAddr != null ? remoteAddr : "") +
"; request: " + result.getRequest() +
"; context: " + result.toContextString());
{code}
Then the same regex or parser can be used for both, and both the AC and VC will
emit the same information on client and context.
> Changing the set of vis labels a user has access to doesn't generate an audit
> log event
> ---------------------------------------------------------------------------------------
>
> Key: HBASE-12831
> URL: https://issues.apache.org/jira/browse/HBASE-12831
> Project: HBase
> Issue Type: Bug
> Affects Versions: 1.0.0, 2.0.0, 0.98.6
> Reporter: Sean Busbey
> Assignee: Ashish Singhi
> Labels: audit
> Fix For: 1.0.1, 0.98.11
>
> Attachments: HBASE-12831.patch
>
>
> Right now, the AccessController makes sure that (when users care about audit
> events) we generate an audit log event for any access change, like granting
> or removing a permission from a user.
> When the set of labels a user has access to is altered, it gets handled by
> the VisibilityLabelService and we don't log anything to the audit log.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
