Beibei Zhao created HBASE-27528:
-----------------------------------
Summary: Add audit logs in MasterRpcServices
Key: HBASE-27528
URL: https://issues.apache.org/jira/browse/HBASE-27528
Project: HBase
Issue Type: Improvement
Components: logging, master, rpc, security
Affects Versions: thirdparty-4.1.3
Reporter: Beibei Zhao
MasterRpcServices record audit log in privileged operations (grant, revoke) and
vital apis like "execMasterService".
{code:java}
public ClientProtos.CoprocessorServiceResponse execMasterService(final
RpcController controller,
......
String remoteAddress =
RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("");
User caller = RpcServer.getRequestUser().orElse(null);
AUDITLOG.info("User {} (remote address: {}) master service request for
{}.{}", caller,
remoteAddress, serviceName, methodName);
return CoprocessorRpcUtils.getResponse(execResult,
HConstants.EMPTY_BYTE_ARRAY);
} catch (IOException ie) {
throw new ServiceException(ie);
}
}
{code}
There are many "write" operations like "deleteTable", which may cause security
problems, should also record an audit log.
{code:java}
public DeleteTableResponse deleteTable(RpcController controller,
DeleteTableRequest request)
throws ServiceException {
try {
long procId =
server.deleteTable(ProtobufUtil.toTableName(request.getTableName()),
request.getNonceGroup(), request.getNonce());
// an audit log is required here.
return DeleteTableResponse.newBuilder().setProcId(procId).build();
} catch (IOException ioe) {
throw new ServiceException(ioe);
}
}
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
