From cfe58e057c1c48140d73a62395b3744705578d5d Mon Sep 17 00:00:00 2001 From: Andor Molnar Date: Mon, 29 Jul 2019 16:14:36 +0200 Subject: [PATCH 1/3] HBASE-22759. Added AUDIT logger to MasterRpcServices grant() revoke() methods --- .../hadoop/hbase/master/MasterRpcServices.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java index 5af6fb0c907f..e1e6cd0473de 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java @@ -349,6 +349,8 @@ public class MasterRpcServices extends RSRpcServices implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface, LockService.BlockingInterface, HbckService.BlockingInterface { private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName()); + private static final Logger AUDITLOG = + LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName()); private final HMaster master; @@ -2584,6 +2586,11 @@ public GrantResponse grant(RpcController controller, GrantRequest request) if (master.cpHost != null) { master.cpHost.postGrant(perm, mergeExistingPermissions); } + User caller = RpcServer.getRequestUser().orElse(null); + if (AUDITLOG.isTraceEnabled()) { + // audit log should store permission changes in addition to auth results + AUDITLOG.trace("User {} granted permission {}", caller, perm); + } return GrantResponse.getDefaultInstance(); } catch (IOException ioe) { throw new ServiceException(ioe); @@ -2605,6 +2612,11 @@ public RevokeResponse revoke(RpcController controller, RevokeRequest request) if (master.cpHost != null) { master.cpHost.postRevoke(userPermission); } + User caller = RpcServer.getRequestUser().orElse(null); + if (AUDITLOG.isTraceEnabled()) { + // audit log should record all permission changes + AUDITLOG.trace("User {} revoked permission {}", caller, userPermission); + } return RevokeResponse.getDefaultInstance(); } catch (IOException ioe) { throw new ServiceException(ioe); From 59083606cdc8ad61993fcaba425b598a3b070ff6 Mon Sep 17 00:00:00 2001 From: Andor Molnar Date: Tue, 6 Aug 2019 12:43:42 +0200 Subject: [PATCH 2/3] HBASE-22759. Added user's remote address to the log message --- .../org/apache/hadoop/hbase/master/MasterRpcServices.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java index e1e6cd0473de..fdfbe6a4225d 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java @@ -2589,7 +2589,8 @@ public GrantResponse grant(RpcController controller, GrantRequest request) User caller = RpcServer.getRequestUser().orElse(null); if (AUDITLOG.isTraceEnabled()) { // audit log should store permission changes in addition to auth results - AUDITLOG.trace("User {} granted permission {}", caller, perm); + String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); + AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress, perm); } return GrantResponse.getDefaultInstance(); } catch (IOException ioe) { @@ -2615,7 +2616,8 @@ public RevokeResponse revoke(RpcController controller, RevokeRequest request) User caller = RpcServer.getRequestUser().orElse(null); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes - AUDITLOG.trace("User {} revoked permission {}", caller, userPermission); + String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); + AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, userPermission); } return RevokeResponse.getDefaultInstance(); } catch (IOException ioe) { From 98cc13bf608700a695bbca0c34431c1a558708cb Mon Sep 17 00:00:00 2001 From: Andor Molnar Date: Wed, 7 Aug 2019 10:59:33 +0200 Subject: [PATCH 3/3] HBASE-22759. Checkstyle fixes --- .../org/apache/hadoop/hbase/master/MasterRpcServices.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java index fdfbe6a4225d..c9a962b4b74f 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java @@ -2590,7 +2590,8 @@ public GrantResponse grant(RpcController controller, GrantRequest request) if (AUDITLOG.isTraceEnabled()) { // audit log should store permission changes in addition to auth results String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); - AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress, perm); + AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress, + perm); } return GrantResponse.getDefaultInstance(); } catch (IOException ioe) { @@ -2617,7 +2618,8 @@ public RevokeResponse revoke(RpcController controller, RevokeRequest request) if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); - AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, userPermission); + AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, + userPermission); } return RevokeResponse.getDefaultInstance(); } catch (IOException ioe) {