Skip to content

Commit

Permalink
HBASE-22759 Add user info to AUDITLOG events when doing grant/revoke
Browse files Browse the repository at this point in the history
  • Loading branch information
@anmolnar @petersomogyi
anmolnar authored and petersomogyi committed Aug 7, 2019
1 parent a802948 commit 07c6bb1
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,8 @@ public class MasterRpcServices extends RSRpcServices
implements MasterService.BlockingInterface, RegionServerStatusService.BlockingInterface,
LockService.BlockingInterface, HbckService.BlockingInterface {
private static final Logger LOG = LoggerFactory.getLogger(MasterRpcServices.class.getName());
private static final Logger AUDITLOG =
LoggerFactory.getLogger("SecurityLogger."+MasterRpcServices.class.getName());

private final HMaster master;

Expand Down Expand Up @@ -2608,6 +2610,13 @@ public GrantResponse grant(RpcController controller, GrantRequest request)
if (master.cpHost != null) {
master.cpHost.postGrant(perm, mergeExistingPermissions);
}
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should store permission changes in addition to auth results
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) granted permission {}", caller, remoteAddress,
perm);
}
return GrantResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);
Expand All @@ -2629,6 +2638,13 @@ public RevokeResponse revoke(RpcController controller, RevokeRequest request)
if (master.cpHost != null) {
master.cpHost.postRevoke(userPermission);
}
User caller = RpcServer.getRequestUser().orElse(null);
if (AUDITLOG.isTraceEnabled()) {
// audit log should record all permission changes
String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress,
userPermission);
}
return RevokeResponse.getDefaultInstance();
} catch (IOException ioe) {
throw new ServiceException(ioe);
Expand Down

0 comments on commit 07c6bb1

Please sign in to comment.