[jira] [Commented] (HBASE-6386) Audit log messages do not include column family / qualifier information consistently

Sun, 30 Dec 2012 11:16:12 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-6386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13541139#comment-13541139
 ] 

Matteo Bertozzi commented on HBASE-6386:
----------------------------------------

The family/qualifier output now looks like this
{code}
request: put; context: (user=th30z, scope=test-table, family=cf0:q|cf1:q, 
action=WRITE)
request: put; context: (user=th30z, scope=.META., 
family=info:server|info:serverstartcode, action=WRITE)
request: get; context: (user=th30z, scope=.META., family=info, action=READ)
request: get; context: (user=th30z, scope=testtb, family=cf|cf2, action=READ)
request: get; context: (user=th30z, scope=testtb, family=cf:q, action=READ)
request: scannerOpen; context: (user=th30z, scope=testtb, family=cf|cf2, 
action=READ)
request: scannerOpen; context: (user=th30z, scope=testtb, family=cf:q, 
action=READ)
request: scannerOpen; context: (user=th30z, scope=testtb, family=cf:q|cf2:q, 
action=READ)
request: delete; context: (user=th30z, scope=testtb, family=cf:q, action=WRITE)
{code}
                
> Audit log messages do not include column family / qualifier information 
> consistently
> ------------------------------------------------------------------------------------
>
>                 Key: HBASE-6386
>                 URL: https://issues.apache.org/jira/browse/HBASE-6386
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.96.0
>            Reporter: Marcelo Vanzin
>         Attachments: hbase-6386-v1.patch, hbase-6386-v2.patch, 
> HBASE-6386-v3.patch
>
>
> The code related to this issue is in 
> AccessController.java:permissionGranted().
> When creating audit logs, that method will do one of the following:
> * grant access, create audit log with table name only
> * deny access because of table permission, create audit log with table name 
> only
> * deny access because of column family / qualifier permission, create audit 
> log with specific family / qualifier
> So, in the case where more than one column family and/or qualifier are in the 
> same request, there will be a loss of information. Even in the case where 
> only one column family and/or qualifier is involved, information may be lost.
> It would be better if this behavior consistently included all the information 
> in the request; regardless of access being granted or denied, and regardless 
> which permission caused the denial, the column family and qualifier info 
> should be part of the audit log message.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to