[
https://issues.apache.org/jira/browse/EAGLE-476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jayesh reassigned EAGLE-476:
----------------------------
Assignee: Peter Kim
> Outdated HBase audit log parser
> -------------------------------
>
> Key: EAGLE-476
> URL: https://issues.apache.org/jira/browse/EAGLE-476
> Project: Eagle
> Issue Type: Bug
> Reporter: Peter Kim
> Assignee: Peter Kim
> Priority: Major
> Fix For: v0.5.0
>
>
> The parsing logic for HBase audit logs (security logs) fails for some of the
> newly formatted hbase audit logs. Obviously, this can cause the eagle service
> to overlook these log lines, and fail to generate alerts, which can have a
> severe outcome in terms of security. For example:
> 2016-08-17 14:09:52,232 TRACE
> SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController:
> Access allowed for user petkim; reason: Table permission granted; remote
> address: /127.0.0.1; request: flush; context: (user=petkim, scope=hbase:meta,
> params=[table=hbase:meta],action=ADMIN)
> 2016-08-17 14:04:27,042 TRACE
> SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController:
> Access allowed for user petkim; reason: All users allowed; remote address:
> /111.1.1.1; request: scan; context: (user=petkim, scope=hbase:meta,
> family=info, params=[table=hbase:meta,family=info],action=READ)
> These log lines are not parsed correctly as the fields that the current regex
> matches are static. The first log does not have the field "family" and the
> second one has a new field named "params". So, the parsing logic fails here.
> To fix this and ensure scalability (reliable no matter how many fields are
> omitted or added), I will extend the current parsing logic to more reliable.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
