[ https://issues.apache.org/jira/browse/HBASE-27528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Beibei Zhao updated HBASE-27528: -------------------------------- Description: MasterRpcServices record audit log in privileged operations (grant, revoke) and vital apis like "execMasterService". {code:java} public RevokeResponse revoke(RpcController controller, RevokeRequest request) throws ServiceException { try { ...... server.cpHost.preRevoke(userPermission); // has audit log in AccessChecker ...... // removeUserPermission User caller = RpcServer.getRequestUser().orElse(null); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, userPermission); } ...... } {code} but I found a path from *server.cpHost.preRevoke(userPermission);* to {*}AccessChecker audit log{*}, which caused {*}log duplication{*}. {code:java} public void requireGlobalPermission(User user, String request, Action perm, String namespace) throws IOException { AuthResult authResult; if (authManager.authorizeUserGlobal(user, perm)) { authResult = AuthResult.allow(request, "Global check allowed", user, perm, null); authResult.getParams().setNamespace(namespace); logResult(authResult); } else { authResult = AuthResult.deny(request, "Global check failed", user, perm, null); authResult.getParams().setNamespace(namespace); logResult(authResult); throw new AccessDeniedException( "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + perm.toString() + ")"); } } public static void logResult(AuthResult result) { if (AUDITLOG.isTraceEnabled()) { User user = result.getUser(); UserGroupInformation ugi = user != null ? user.getUGI() : null; AUDITLOG.trace( "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {};" + "auth method: {}", (result.isAllowed() ? "allowed" : "denied"), (user != null ? user.getShortName() : "UNKNOWN"), result.getReason(), RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""), result.getRequest(), result.toContextString(), ugi != null ? ugi.getAuthenticationMethod() : "UNKNOWN"); } } {code} Since *AccessChecker* integrates auditlogs for permission check, I'll delete the log in MasterRpcServices. There must be more problems like this, I' ll check it later and commit the code. -There are many "write" operations like "deleteTable", which may cause security problems, should also record an audit log.- was: MasterRpcServices record audit log in privileged operations (grant, revoke) and vital apis like "execMasterService". {code:java} public ClientProtos.CoprocessorServiceResponse execMasterService(final RpcController controller, ...... String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); User caller = RpcServer.getRequestUser().orElse(null); AUDITLOG.info("User {} (remote address: {}) master service request for {}.{}", caller, remoteAddress, serviceName, methodName); return CoprocessorRpcUtils.getResponse(execResult, HConstants.EMPTY_BYTE_ARRAY); } catch (IOException ie) { throw new ServiceException(ie); } } {code} There are many "write" operations like "deleteTable", which may cause security problems, should also record an audit log. {code:java} public DeleteTableResponse deleteTable(RpcController controller, DeleteTableRequest request) throws ServiceException { try { long procId = server.deleteTable(ProtobufUtil.toTableName(request.getTableName()), request.getNonceGroup(), request.getNonce()); // an audit log is required here. return DeleteTableResponse.newBuilder().setProcId(procId).build(); } catch (IOException ioe) { throw new ServiceException(ioe); } } {code} > log duplication issues in MasterRpcServices > ------------------------------------------- > > Key: HBASE-27528 > URL: https://issues.apache.org/jira/browse/HBASE-27528 > Project: HBase > Issue Type: Bug > Components: logging, master, rpc, security > Reporter: Beibei Zhao > Priority: Major > > MasterRpcServices record audit log in privileged operations (grant, revoke) > and vital apis like "execMasterService". > {code:java} > public RevokeResponse revoke(RpcController controller, RevokeRequest > request) > throws ServiceException { > try { > ...... > server.cpHost.preRevoke(userPermission); // has audit log in > AccessChecker > ...... // removeUserPermission > User caller = RpcServer.getRequestUser().orElse(null); > if (AUDITLOG.isTraceEnabled()) { > // audit log should record all permission changes > String remoteAddress = > RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); > AUDITLOG.trace("User {} (remote address: {}) revoked permission > {}", caller, > remoteAddress, userPermission); > } > ...... > } > {code} > but I found a path from *server.cpHost.preRevoke(userPermission);* to > {*}AccessChecker audit log{*}, which caused {*}log duplication{*}. > {code:java} > public void requireGlobalPermission(User user, String request, Action perm, > String namespace) > throws IOException { > AuthResult authResult; > if (authManager.authorizeUserGlobal(user, perm)) { > authResult = AuthResult.allow(request, "Global check allowed", user, > perm, null); > authResult.getParams().setNamespace(namespace); > logResult(authResult); > } else { > authResult = AuthResult.deny(request, "Global check failed", user, > perm, null); > authResult.getParams().setNamespace(namespace); > logResult(authResult); > throw new AccessDeniedException( > "Insufficient permissions for user '" + (user != null ? > user.getShortName() : "null") > + "' (global, action=" + perm.toString() + ")"); > } > } > public static void logResult(AuthResult result) { > if (AUDITLOG.isTraceEnabled()) { > User user = result.getUser(); > UserGroupInformation ugi = user != null ? user.getUGI() : null; > AUDITLOG.trace( > "Access {} for user {}; reason: {}; remote address: {}; request: {}; > context: {};" > + "auth method: {}", > (result.isAllowed() ? "allowed" : "denied"), > (user != null ? user.getShortName() : "UNKNOWN"), result.getReason(), > RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""), > result.getRequest(), > result.toContextString(), ugi != null ? ugi.getAuthenticationMethod() > : "UNKNOWN"); > } > } > {code} > Since *AccessChecker* integrates auditlogs for permission check, I'll delete > the log in MasterRpcServices. > There must be more problems like this, I' ll check it later and commit the > code. > -There are many "write" operations like "deleteTable", which may cause > security problems, should also record an audit log.- -- This message was sent by Atlassian Jira (v8.20.10#820010)