[
https://issues.apache.org/jira/browse/HBASE-13235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364339#comment-14364339
]
Srikanth Srungarapu commented on HBASE-13235:
---------------------------------------------
Relevant excerpts from audit logs relevant to the changes:
{code}
2015-03-16 17:49:29,165 TRACE
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access
allowed for user ssrungarapu; reason: Namespace permission granted; remote
address: /192.168.1.5; request: createTable;
context: (user=ssrungarapu, scope=default,
params=[namespace=default,table=default:test,family=f1],action=CREATE)
2015-03-16 17:49:29,173 TRACE
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access
allowed for user ssrungarapu; reason: All users allowed; remote address:
/192.168.1.5; request: get;
context: (user=ssrungarapu, scope=hbase:meta, family=table:state,
params=[table=hbase:meta,family=table:state],action=READ)
2015-03-16 17:50:05,308 TRACE
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access
allowed for user ssrungarapu; reason: Global check allowed; remote address:
/192.168.1.5; request: createNamespace;
context: (user=ssrungarapu, scope=GLOBAL, params=[namespace=ns],action=ADMIN)
2015-03-16 17:50:16,376 TRACE
SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access
allowed for user ssrungarapu; reason: Table permission granted; remote address:
/192.168.1.5; request: addColumn;
context: (user=ssrungarapu, scope=default:test,
params=[table=default:test,family=f2],action=ADMIN)
{code}
> Revisit the security auditing semantics.
> ----------------------------------------
>
> Key: HBASE-13235
> URL: https://issues.apache.org/jira/browse/HBASE-13235
> Project: HBase
> Issue Type: Improvement
> Reporter: Srikanth Srungarapu
> Assignee: Srikanth Srungarapu
> Attachments: HBASE-13235.patch, HBASE-13235_v2.patch
>
>
> More specifically, the following things need a closer look. (Will include
> more based on feedback and/or suggestions)
> * Table name (say test) instead of fully qualified table name(default:test)
> being used.
> * Right now, we're using the scope to be similar to arguments for operation.
> Would be better to decouple the arguments for operation and scope involved in
> checking. For e.g. say for createTable, we have the following audit log
> {code}
> Access denied for user esteban; reason: Insufficient permissions; remote
> address: /10.20.30.1; request: createTable; context: (user=srikanth@XXX,
> scope=default, action=CREATE)
> {code}
> The scope was rightly being used as default namespace, but we're missing out
> the information like operation params for CREATE which we used to log prior
> to HBASE-12511.
> Would love to hear inputs on this!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
