[ 
https://issues.apache.org/jira/browse/HBASE-26160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391312#comment-17391312
 ] 

Anoop Sam John commented on HBASE-26160:
----------------------------------------

Whether the deny list should take some pattern instead of exact names?  In PR 
we see to check for equality.
What if org.apache.hadoop.hbase.security.access is in deny list but one try to 
set Log level for org.apache.hadoop.hbase.security.access.AccessController ?

> Configurable disallowlist for live editing of loglevels
> -------------------------------------------------------
>
>                 Key: HBASE-26160
>                 URL: https://issues.apache.org/jira/browse/HBASE-26160
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Bryan Beaudreault
>            Assignee: Bryan Beaudreault
>            Priority: Minor
>
> We currently use log4j/slf4j for audit logging in AccessController. This is 
> convenient but presents a security/compliance risk because we allow 
> live-editing of logLevels via the UI. One can simply set the logger to OFF 
> and then perform actions un-audited.
> We should add a configuration for setting certain log levels to read-only



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to