This is an automated email from the ASF dual-hosted git repository. psomogyi pushed a commit to branch branch-2.2 in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/branch-2.2 by this push: new 5b1799a HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke 5b1799a is described below commit 5b1799a7750679876892f52e9ef5d5c0f957e6ce Author: Andor Molnár <an...@cloudera.com> AuthorDate: Wed Aug 7 11:06:30 2019 +0200 HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke --- .../apache/hadoop/hbase/master/MasterRpcServices.java | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java index c115820..c8b56fb 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java @@ -335,6 +335,8 @@ public class MasterRpcServices extends RSRpcServices implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface, LockService.BlockingInterface, HbckService.BlockingInterface { private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName()); + private static final Logger AUDITLOG = + LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName()); private final HMaster master; @@ -2542,6 +2544,13 @@ public class MasterRpcServices extends RSRpcServices if (master.cpHost != null) { master.cpHost.postGrant(perm, mergeExistingPermissions); } + User caller = RpcServer.getRequestUser().orElse(null); + if (AUDITLOG.isTraceEnabled()) { + // audit log should store permission changes in addition to auth results + String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); + AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress, + perm); + } return GrantResponse.getDefaultInstance(); } catch (IOException ioe) { throw new ServiceException(ioe); @@ -2563,6 +2572,13 @@ public class MasterRpcServices extends RSRpcServices if (master.cpHost != null) { master.cpHost.postRevoke(userPermission); } + User caller = RpcServer.getRequestUser().orElse(null); + if (AUDITLOG.isTraceEnabled()) { + // audit log should record all permission changes + String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); + AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, + userPermission); + } return RevokeResponse.getDefaultInstance(); } catch (IOException ioe) { throw new ServiceException(ioe);