Beibei Zhao created HBASE-27528: ----------------------------------- Summary: Add audit logs in MasterRpcServices Key: HBASE-27528 URL: https://issues.apache.org/jira/browse/HBASE-27528 Project: HBase Issue Type: Improvement Components: logging, master, rpc, security Affects Versions: thirdparty-4.1.3 Reporter: Beibei Zhao
MasterRpcServices record audit log in privileged operations (grant, revoke) and vital apis like "execMasterService". {code:java} public ClientProtos.CoprocessorServiceResponse execMasterService(final RpcController controller, ...... String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); User caller = RpcServer.getRequestUser().orElse(null); AUDITLOG.info("User {} (remote address: {}) master service request for {}.{}", caller, remoteAddress, serviceName, methodName); return CoprocessorRpcUtils.getResponse(execResult, HConstants.EMPTY_BYTE_ARRAY); } catch (IOException ie) { throw new ServiceException(ie); } } {code} There are many "write" operations like "deleteTable", which may cause security problems, should also record an audit log. {code:java} public DeleteTableResponse deleteTable(RpcController controller, DeleteTableRequest request) throws ServiceException { try { long procId = server.deleteTable(ProtobufUtil.toTableName(request.getTableName()), request.getNonceGroup(), request.getNonce()); // an audit log is required here. return DeleteTableResponse.newBuilder().setProcId(procId).build(); } catch (IOException ioe) { throw new ServiceException(ioe); } } {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)