[ 
https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiao Chen updated HADOOP-13693:
-------------------------------
    Summary: Remove the message about HTTP OPTIONS in SPNEGO initialization 
message from kms audit log  (was: Make the SPNEGO initialization OPTIONS 
message in kms audit log admin-friendly)

> Remove the message about HTTP OPTIONS in SPNEGO initialization message from 
> kms audit log
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13693
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13693
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>            Priority: Minor
>         Attachments: HADOOP-13693.01.patch, HADOOP-13693.02.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED 
> ErrorMsg:'Authentication required' message before the OK messages. This is 
> expected, and due to the spnego authentication sequence. (Notice method == 
> {{OPTIONS}})
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS 
> URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
>  ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, 
> accessCount=1, interval=0ms] 
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, 
> accessCount=1, interval=10193ms] 
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We 
> should make it obvious this is benign.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to