[hbase] branch master updated: HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke

Wed, 07 Aug 2019 02:07:05 -0700 

This is an automated email from the ASF dual-hosted git repository.

psomogyi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/master by this push:
     new 07c6bb1  HBASE-22759 Add user info to AUDITLOG events when doing 
grant/revoke
07c6bb1 is described below

commit 07c6bb16e7289a5ff2d6d6076ec3bcb0745a3d3f
Author: Andor Molnár <an...@cloudera.com>
AuthorDate: Wed Aug 7 11:06:30 2019 +0200

    HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke
---
 .../apache/hadoop/hbase/master/MasterRpcServices.java    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git 
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
 
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
index 66a4cef..e55a39d 100644
--- 
a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
+++ 
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
@@ -344,6 +344,8 @@ public class MasterRpcServices extends RSRpcServices
       implements MasterService.BlockingInterface, 
RegionServerStatusService.BlockingInterface,
         LockService.BlockingInterface, HbckService.BlockingInterface {
   private static final Logger LOG = 
LoggerFactory.getLogger(MasterRpcServices.class.getName());
+  private static final Logger AUDITLOG =
+      
LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());
 
   private final HMaster master;
 
@@ -2608,6 +2610,13 @@ public class MasterRpcServices extends RSRpcServices
       if (master.cpHost != null) {
         master.cpHost.postGrant(perm, mergeExistingPermissions);
       }
+      User caller = RpcServer.getRequestUser().orElse(null);
+      if (AUDITLOG.isTraceEnabled()) {
+        // audit log should store permission changes in addition to auth 
results
+        String remoteAddress = 
RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
+        AUDITLOG.trace("User {} (remote address: {}) granted permission {}", 
caller, remoteAddress,
+                perm);
+      }
       return GrantResponse.getDefaultInstance();
     } catch (IOException ioe) {
       throw new ServiceException(ioe);
@@ -2629,6 +2638,13 @@ public class MasterRpcServices extends RSRpcServices
       if (master.cpHost != null) {
         master.cpHost.postRevoke(userPermission);
       }
+      User caller = RpcServer.getRequestUser().orElse(null);
+      if (AUDITLOG.isTraceEnabled()) {
+        // audit log should record all permission changes
+        String remoteAddress = 
RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
+        AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", 
caller, remoteAddress,
+                userPermission);
+      }
       return RevokeResponse.getDefaultInstance();
     } catch (IOException ioe) {
       throw new ServiceException(ioe);

Reply via email to