Hi Andrew, thanks for the feedback. On Thu, Jul 12, 2012 at 2:56 PM, Andrew Purtell <[email protected]> wrote: > I'd argue the entire security side of Hadoop is in need of some > serious work regards audit. For starters, consistent audit logging > formats: success is logged at INFO level, failure is logged via > exception.
I won't dispute that. :-) Consistent behavior is a good thing. For example, HDFS logs audit messages at INFO level today (IIRC), while HBase does so at TRACE level. For starters, that means HBase audit logs won't be available by default in most installations. >> (i) Lack of column family information in audit logs > Consider filing a JIRA for this as a subtask under > https://issues.apache.org/jira/browse/HBASE-6096. Will do. >> (ii) The access controller does not work if authentication is disabled. > > IMHO, doing anything with authentication disabled is out of design > scope. Reasonable people may disagree. I don't have a strong opinion about this being a feature of the AccessController. It can be done easily enough with a custom coprocessor. The only thing that is kinda sketchy in the custom coprocessor approach is the definition of "what requests map to what required permissions", something that is baked into the AccessController code today. That's not too much information to replicate, but having it available in an easier manner would help a lot here. >> (iii) There's no easy way to customize processing of audit events. >> >> Audit events are written to a log appender in a private method in >> AccessController.java; this means anyone who wants something >> different, like writing this data to a database, has to go through the >> logging system to do it. > > This is consistent with how all of Hadoop does logging. I don't think > we should roll our own. That doesn't improve the situation for system > operators, it means they have to deal with all other parts of Hadoop > then do something else for HBase specifically. That said, Well, the logging path wouldn't go away; this would just be an extension for people who have might complicated needs than just writing to log files. We're looking at maybe providing a similar thing for HDFS. In the end, we don't want the easy way to be any different than it is today, but at the same time have a system where doing more complicated things is possible. >> I actually have a working >> prototype for this approach on top of HBase 0.92, I can post the patch >> somewhere if anyone is interested. > > Suggest putting it up as another subtask under > https://issues.apache.org/jira/browse/HBASE-6096 so we can review it. I'll play with it some more and post something. -- Marcelo
