[jira] [Commented] (ACCUMULO-3939) Accumulo AuditedSecurityOperation is not initialized properly

Wed, 22 Jul 2015 15:32:23 -0700 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-3939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637775#comment-14637775
 ] 

James Mello commented on ACCUMULO-3939:
---------------------------------------

Unfortunately there isn't a workaround. The getInstance() class is always
called to get the SecurityOperations. Since it is always returning the
SecurityOpertations class and not the AuditedSecurityOperations there is
nothing that a logging config can do to change the behavior.

There are other things that still need to be audited that would probably be
good to do: Here is a matrix of items that I went through and found out.

In particular none of the MasterServer actions are audited, so things like
create table, offline table etc are never part of an audit log except on
failure.


On Wed, Jul 22, 2015 at 3:26 PM, Christopher Tubbs (JIRA) <[email protected]>
wrote:



> Accumulo AuditedSecurityOperation is not initialized properly
> -------------------------------------------------------------
>
>                 Key: ACCUMULO-3939
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3939
>             Project: Accumulo
>          Issue Type: Bug
>    Affects Versions: 1.5.3
>            Reporter: James Mello
>            Priority: Critical
>              Labels: easyfix
>         Attachments: ACCUMULO-3939.patch, generic_logger.xml
>
>
> While reading the source I found out that the AuditedSecurityOperation is 
> never initialized properly.
> The AuditSecurityOperation does not contain a getInstance() static method. 
> This in turn just calls the SecurityOperation getInstance() method. Because 
> this is called in a static manner the getInstance(String instanceId, boolean 
> initialize) is called against the SecurityOperation class not the 
> AuditedSecurityOperation class.
> This should just be a simple fix that adds the getInstance() method to the 
> AuditedSecurityOperation class.
> This is critical as we are in need of this security auditing to meet 
> Information Assurance requirements for an upcoming major release of our 
> software.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to