[
https://issues.apache.org/jira/browse/HBASE-27528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Duo Zhang resolved HBASE-27528.
-------------------------------
Fix Version/s: 2.6.0
3.0.0-alpha-4
Hadoop Flags: Reviewed
Resolution: Fixed
Pushed to master and branch-2.
I think changing audit log is something like a "breaking" change, so do not
push to currect active release lines.
Thanks [~chino71] for contributing!
> log duplication issues in MasterRpcServices
> -------------------------------------------
>
> Key: HBASE-27528
> URL: https://issues.apache.org/jira/browse/HBASE-27528
> Project: HBase
> Issue Type: Bug
> Components: logging, master, rpc, security
> Reporter: Beibei Zhao
> Assignee: Beibei Zhao
> Priority: Major
> Fix For: 2.6.0, 3.0.0-alpha-4
>
>
> MasterRpcServices record audit log in privileged operations (grant, revoke)
> and vital apis like "execMasterService".
> {code:java}
> public RevokeResponse revoke(RpcController controller, RevokeRequest
> request)
> throws ServiceException {
> try {
> ......
> server.cpHost.preRevoke(userPermission); // has audit log in
> AccessChecker
> ...... // removeUserPermission
> User caller = RpcServer.getRequestUser().orElse(null);
> if (AUDITLOG.isTraceEnabled()) {
> // audit log should record all permission changes
> String remoteAddress =
> RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
> AUDITLOG.trace("User {} (remote address: {}) revoked permission
> {}", caller,
> remoteAddress, userPermission);
> }
> ......
> }
> {code}
> but I found a path from *server.cpHost.preRevoke(userPermission);* to
> {*}AccessChecker audit log{*}, which caused {*}log duplication{*}.
> {code:java}
> public void requireGlobalPermission(User user, String request, Action perm,
> String namespace)
> throws IOException {
> AuthResult authResult;
> if (authManager.authorizeUserGlobal(user, perm)) {
> authResult = AuthResult.allow(request, "Global check allowed", user,
> perm, null);
> authResult.getParams().setNamespace(namespace);
> logResult(authResult);
> } else {
> authResult = AuthResult.deny(request, "Global check failed", user,
> perm, null);
> authResult.getParams().setNamespace(namespace);
> logResult(authResult);
> throw new AccessDeniedException(
> "Insufficient permissions for user '" + (user != null ?
> user.getShortName() : "null")
> + "' (global, action=" + perm.toString() + ")");
> }
> }
> public static void logResult(AuthResult result) {
> if (AUDITLOG.isTraceEnabled()) {
> User user = result.getUser();
> UserGroupInformation ugi = user != null ? user.getUGI() : null;
> AUDITLOG.trace(
> "Access {} for user {}; reason: {}; remote address: {}; request: {};
> context: {};"
> + "auth method: {}",
> (result.isAllowed() ? "allowed" : "denied"),
> (user != null ? user.getShortName() : "UNKNOWN"), result.getReason(),
> RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""),
> result.getRequest(),
> result.toContextString(), ugi != null ? ugi.getAuthenticationMethod()
> : "UNKNOWN");
> }
> }
> {code}
> Since *AccessChecker* integrates auditlogs for permission check, I'll delete
> the log in MasterRpcServices.
> There must be more problems like this, I' ll check it later and commit the
> code.
> -There are many "write" operations like "deleteTable", which may cause
> security problems, should also record an audit log.-
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
