[jira] [Commented] (HADOOP-13693) Make the SPNEGO initialization OPTIONS message in kms audit log more admin-friendly

Thu, 06 Oct 2016 17:39:12 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15553696#comment-15553696
 ] 

Xiao Chen commented on HADOOP-13693:
------------------------------------

This is audit log, so incompatible by default.
We have several choices to improve:
# since this is an {{OPTIONS}} http method, maybe we can hence not log it into 
audit logs.
# change the {{AuthenticationFilter}} to no longer return an error for this 
type of requests.
# update the audit message to give better context.

IMO logging is theoretically correct, and changing the server code feels risky. 
So posting a patch to do #3 here.
[~xyao], I see you helped resolving the linked HDFS-10428. What's your opinion 
about this one? Also ping [~asuresh] for input. Thank you both in advance.

> Make the SPNEGO initialization OPTIONS message in kms audit log more 
> admin-friendly
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-13693
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13693
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>            Priority: Minor
>         Attachments: HADOOP-13693.01.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED 
> ErrorMsg:'Authentication required' message before the OK messages. This is 
> expected, and due to the spnego authentication sequence.
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS 
> URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
>  ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, 
> accessCount=1, interval=0ms] 
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, 
> accessCount=1, interval=10193ms] 
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We 
> should make it obvious this is benign, and help them focus on the real errors.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to