[jira] [Updated] (HBASE-27528) log duplication issues in MasterRpcServices
[ https://issues.apache.org/jira/browse/HBASE-27528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Beibei Zhao updated HBASE-27528: Description: MasterRpcServices record audit log in privileged operations (grant, revoke) and vital apis like "execMasterService". {code:java} public RevokeResponse revoke(RpcController controller, RevokeRequest request) throws ServiceException { try { .. server.cpHost.preRevoke(userPermission); // has audit log in AccessChecker .. // removeUserPermission User caller = RpcServer.getRequestUser().orElse(null); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, userPermission); } .. } {code} but I found a path from *server.cpHost.preRevoke(userPermission);* to {*}AccessChecker audit log{*}, which caused {*}log duplication{*}. *_+grant/revoke -> AccessController.preGrant/Revoke -> preGrantOrRevoke -> AccessChecker.requireGlobalPermission/... -> logResult+_* {code:java} public void requireGlobalPermission(User user, String request, Action perm, String namespace) throws IOException { AuthResult authResult; if (authManager.authorizeUserGlobal(user, perm)) { authResult = AuthResult.allow(request, "Global check allowed", user, perm, null); authResult.getParams().setNamespace(namespace); logResult(authResult); } else { authResult = AuthResult.deny(request, "Global check failed", user, perm, null); authResult.getParams().setNamespace(namespace); logResult(authResult); throw new AccessDeniedException( "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + perm.toString() + ")"); } } public static void logResult(AuthResult result) { if (AUDITLOG.isTraceEnabled()) { User user = result.getUser(); UserGroupInformation ugi = user != null ? user.getUGI() : null; AUDITLOG.trace( "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {};" + "auth method: {}", (result.isAllowed() ? "allowed" : "denied"), (user != null ? user.getShortName() : "UNKNOWN"), result.getReason(), RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""), result.getRequest(), result.toContextString(), ugi != null ? ugi.getAuthenticationMethod() : "UNKNOWN"); } } {code} Since *AccessChecker* integrates auditlogs for permission check, I'll delete the log in MasterRpcServices. There must be more problems like this, I' ll check it later and commit the code. -There are many "write" operations like "deleteTable", which may cause security problems, should also record an audit log.- was: MasterRpcServices record audit log in privileged operations (grant, revoke) and vital apis like "execMasterService". {code:java} public RevokeResponse revoke(RpcController controller, RevokeRequest request) throws ServiceException { try { .. server.cpHost.preRevoke(userPermission); // has audit log in AccessChecker .. // removeUserPermission User caller = RpcServer.getRequestUser().orElse(null); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, userPermission); } .. } {code} but I found a path from *server.cpHost.preRevoke(userPermission);* to {*}AccessChecker audit log{*}, which caused {*}log duplication{*}. {code:java} public void requireGlobalPermission(User user, String request, Action perm, String namespace) throws IOException { AuthResult authResult; if (authManager.authorizeUserGlobal(user, perm)) { authResult = AuthResult.allow(request, "Global check allowed", user, perm, null); authResult.getParams().setNamespace(namespace); logResult(authResult); } else { authResult = AuthResult.deny(request, "Global check failed", user, perm, null); authResult.getParams().setNamespace(namespace); logResult(authResult); throw new AccessDeniedException( "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + perm.toString() + ")"); } } public static void logResult(AuthResult result) { if (AUDITLOG.isTraceEnabled()) { User user = result.getUser(); UserGroupInformation ugi = user != null ? user.getUGI()
[jira] [Updated] (HBASE-27528) log duplication issues in MasterRpcServices
[ https://issues.apache.org/jira/browse/HBASE-27528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Beibei Zhao updated HBASE-27528: Description: MasterRpcServices record audit log in privileged operations (grant, revoke) and vital apis like "execMasterService". {code:java} public RevokeResponse revoke(RpcController controller, RevokeRequest request) throws ServiceException { try { .. server.cpHost.preRevoke(userPermission); // has audit log in AccessChecker .. // removeUserPermission User caller = RpcServer.getRequestUser().orElse(null); if (AUDITLOG.isTraceEnabled()) { // audit log should record all permission changes String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); AUDITLOG.trace("User {} (remote address: {}) revoked permission {}", caller, remoteAddress, userPermission); } .. } {code} but I found a path from *server.cpHost.preRevoke(userPermission);* to {*}AccessChecker audit log{*}, which caused {*}log duplication{*}. {code:java} public void requireGlobalPermission(User user, String request, Action perm, String namespace) throws IOException { AuthResult authResult; if (authManager.authorizeUserGlobal(user, perm)) { authResult = AuthResult.allow(request, "Global check allowed", user, perm, null); authResult.getParams().setNamespace(namespace); logResult(authResult); } else { authResult = AuthResult.deny(request, "Global check failed", user, perm, null); authResult.getParams().setNamespace(namespace); logResult(authResult); throw new AccessDeniedException( "Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + perm.toString() + ")"); } } public static void logResult(AuthResult result) { if (AUDITLOG.isTraceEnabled()) { User user = result.getUser(); UserGroupInformation ugi = user != null ? user.getUGI() : null; AUDITLOG.trace( "Access {} for user {}; reason: {}; remote address: {}; request: {}; context: {};" + "auth method: {}", (result.isAllowed() ? "allowed" : "denied"), (user != null ? user.getShortName() : "UNKNOWN"), result.getReason(), RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""), result.getRequest(), result.toContextString(), ugi != null ? ugi.getAuthenticationMethod() : "UNKNOWN"); } } {code} Since *AccessChecker* integrates auditlogs for permission check, I'll delete the log in MasterRpcServices. There must be more problems like this, I' ll check it later and commit the code. -There are many "write" operations like "deleteTable", which may cause security problems, should also record an audit log.- was: MasterRpcServices record audit log in privileged operations (grant, revoke) and vital apis like "execMasterService". {code:java} public ClientProtos.CoprocessorServiceResponse execMasterService(final RpcController controller, .. String remoteAddress = RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); User caller = RpcServer.getRequestUser().orElse(null); AUDITLOG.info("User {} (remote address: {}) master service request for {}.{}", caller, remoteAddress, serviceName, methodName); return CoprocessorRpcUtils.getResponse(execResult, HConstants.EMPTY_BYTE_ARRAY); } catch (IOException ie) { throw new ServiceException(ie); } } {code} There are many "write" operations like "deleteTable", which may cause security problems, should also record an audit log. {code:java} public DeleteTableResponse deleteTable(RpcController controller, DeleteTableRequest request) throws ServiceException { try { long procId = server.deleteTable(ProtobufUtil.toTableName(request.getTableName()), request.getNonceGroup(), request.getNonce()); // an audit log is required here. return DeleteTableResponse.newBuilder().setProcId(procId).build(); } catch (IOException ioe) { throw new ServiceException(ioe); } } {code} > log duplication issues in MasterRpcServices > --- > > Key: HBASE-27528 > URL: https://issues.apache.org/jira/browse/HBASE-27528 > Project: HBase > Issue Type: Bug > Components: logging, master, rpc, security >Reporter: Beibei Zhao >Priority: Major > > MasterRpcServices record audit log in privileged operations (grant, revoke) > and vital apis like "execMasterService". > {code:java} > public RevokeResponse revoke(RpcController controller, RevokeRequest > request) > throws ServiceException { > try { > .. > server.cpHost.preRevoke(userPermission); //
[jira] [Updated] (HBASE-27528) log duplication issues in MasterRpcServices
[ https://issues.apache.org/jira/browse/HBASE-27528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Beibei Zhao updated HBASE-27528: Issue Type: Bug (was: Improvement) > log duplication issues in MasterRpcServices > --- > > Key: HBASE-27528 > URL: https://issues.apache.org/jira/browse/HBASE-27528 > Project: HBase > Issue Type: Bug > Components: logging, master, rpc, security >Reporter: Beibei Zhao >Priority: Major > > MasterRpcServices record audit log in privileged operations (grant, revoke) > and vital apis like "execMasterService". > > {code:java} > public ClientProtos.CoprocessorServiceResponse execMasterService(final > RpcController controller, > .. > String remoteAddress = > RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); > User caller = RpcServer.getRequestUser().orElse(null); > AUDITLOG.info("User {} (remote address: {}) master service request for > {}.{}", caller, > remoteAddress, serviceName, methodName); > return CoprocessorRpcUtils.getResponse(execResult, > HConstants.EMPTY_BYTE_ARRAY); > } catch (IOException ie) { > throw new ServiceException(ie); > } > } > {code} > There are many "write" operations like "deleteTable", which may cause > security problems, should also record an audit log. > {code:java} > public DeleteTableResponse deleteTable(RpcController controller, > DeleteTableRequest request) > throws ServiceException { > try { > long procId = > server.deleteTable(ProtobufUtil.toTableName(request.getTableName()), > request.getNonceGroup(), request.getNonce()); > // an audit log is required here. > return DeleteTableResponse.newBuilder().setProcId(procId).build(); > } catch (IOException ioe) { > throw new ServiceException(ioe); > } > } > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (HBASE-27528) log duplication issues in MasterRpcServices
[ https://issues.apache.org/jira/browse/HBASE-27528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Beibei Zhao updated HBASE-27528: Summary: log duplication issues in MasterRpcServices (was: Add audit logs in MasterRpcServices) > log duplication issues in MasterRpcServices > --- > > Key: HBASE-27528 > URL: https://issues.apache.org/jira/browse/HBASE-27528 > Project: HBase > Issue Type: Improvement > Components: logging, master, rpc, security >Reporter: Beibei Zhao >Priority: Major > > MasterRpcServices record audit log in privileged operations (grant, revoke) > and vital apis like "execMasterService". > > {code:java} > public ClientProtos.CoprocessorServiceResponse execMasterService(final > RpcController controller, > .. > String remoteAddress = > RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); > User caller = RpcServer.getRequestUser().orElse(null); > AUDITLOG.info("User {} (remote address: {}) master service request for > {}.{}", caller, > remoteAddress, serviceName, methodName); > return CoprocessorRpcUtils.getResponse(execResult, > HConstants.EMPTY_BYTE_ARRAY); > } catch (IOException ie) { > throw new ServiceException(ie); > } > } > {code} > There are many "write" operations like "deleteTable", which may cause > security problems, should also record an audit log. > {code:java} > public DeleteTableResponse deleteTable(RpcController controller, > DeleteTableRequest request) > throws ServiceException { > try { > long procId = > server.deleteTable(ProtobufUtil.toTableName(request.getTableName()), > request.getNonceGroup(), request.getNonce()); > // an audit log is required here. > return DeleteTableResponse.newBuilder().setProcId(procId).build(); > } catch (IOException ioe) { > throw new ServiceException(ioe); > } > } > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)