[ https://issues.apache.org/jira/browse/HBASE-6386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422619#comment-13422619 ]
stack commented on HBASE-6386: ------------------------------ @Marcelo I was thinking these changes: {code} - public static AuthResult allow(String reason, User user, Permission.Action action, byte[] table) { - return new AuthResult(true, reason, user, action, table, null, null); + public static AuthResult allow(String reason, User user, + Permission.Action action, byte[] table, + Map<byte[], ? extends Collection<?>> families) { {code} @Andrew You think the above changes an issue? If not I'll commit. > Audit log messages do not include column family / qualifier information > consistently > ------------------------------------------------------------------------------------ > > Key: HBASE-6386 > URL: https://issues.apache.org/jira/browse/HBASE-6386 > Project: HBase > Issue Type: Improvement > Components: security > Affects Versions: 0.96.0 > Reporter: Marcelo Vanzin > Attachments: hbase-6386-v1.patch > > > The code related to this issue is in > AccessController.java:permissionGranted(). > When creating audit logs, that method will do one of the following: > * grant access, create audit log with table name only > * deny access because of table permission, create audit log with table name > only > * deny access because of column family / qualifier permission, create audit > log with specific family / qualifier > So, in the case where more than one column family and/or qualifier are in the > same request, there will be a loss of information. Even in the case where > only one column family and/or qualifier is involved, information may be lost. > It would be better if this behavior consistently included all the information > in the request; regardless of access being granted or denied, and regardless > which permission caused the denial, the column family and qualifier info > should be part of the audit log message. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira