[jira] [Updated] (HADOOP-13693) Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log
[ https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xiao Chen updated HADOOP-13693: --- Labels: supportability (was: ) > Remove the message about HTTP OPTIONS in SPNEGO initialization message from > kms audit log > - > > Key: HADOOP-13693 > URL: https://issues.apache.org/jira/browse/HADOOP-13693 > Project: Hadoop Common > Issue Type: Improvement > Components: kms >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Minor > Labels: supportability > Fix For: 3.0.0-alpha2 > > Attachments: HADOOP-13693.01.patch, HADOOP-13693.02.patch > > > For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED > ErrorMsg:'Authentication required' message before the OK messages. This is > expected, and due to the spnego authentication sequence. (Notice method == > {{OPTIONS}}) > {noformat} > 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS > URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt > ErrorMsg:'Authentication required' > 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, > accessCount=1, interval=0ms] > 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, > accessCount=1, interval=10193ms] > {noformat} > However, admins/auditors see this and can easily get confused/alerted. We > should make it obvious this is benign. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-13693) Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log
[ https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xiao Chen updated HADOOP-13693: --- Resolution: Fixed Hadoop Flags: Incompatible change,Reviewed (was: Incompatible change) Fix Version/s: 3.0.0-alpha2 Release Note: kms-audit.log used to show an UNAUTHENTICATED message even for successful operations, because of the OPTIONS HTTP request during SPNEGO initial handshake. This message brings more confusion than help, and has hence been removed. Status: Resolved (was: Patch Available) Committed to trunk. Thanks Andrew, Xiaoyu and Arun for the feedback! > Remove the message about HTTP OPTIONS in SPNEGO initialization message from > kms audit log > - > > Key: HADOOP-13693 > URL: https://issues.apache.org/jira/browse/HADOOP-13693 > Project: Hadoop Common > Issue Type: Improvement > Components: kms >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Minor > Fix For: 3.0.0-alpha2 > > Attachments: HADOOP-13693.01.patch, HADOOP-13693.02.patch > > > For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED > ErrorMsg:'Authentication required' message before the OK messages. This is > expected, and due to the spnego authentication sequence. (Notice method == > {{OPTIONS}}) > {noformat} > 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS > URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt > ErrorMsg:'Authentication required' > 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, > accessCount=1, interval=0ms] > 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, > accessCount=1, interval=10193ms] > {noformat} > However, admins/auditors see this and can easily get confused/alerted. We > should make it obvious this is benign. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-13693) Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log
[ https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xiao Chen updated HADOOP-13693: --- Summary: Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log (was: Make the SPNEGO initialization OPTIONS message in kms audit log admin-friendly) > Remove the message about HTTP OPTIONS in SPNEGO initialization message from > kms audit log > - > > Key: HADOOP-13693 > URL: https://issues.apache.org/jira/browse/HADOOP-13693 > Project: Hadoop Common > Issue Type: Improvement > Components: kms >Reporter: Xiao Chen >Assignee: Xiao Chen >Priority: Minor > Attachments: HADOOP-13693.01.patch, HADOOP-13693.02.patch > > > For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED > ErrorMsg:'Authentication required' message before the OK messages. This is > expected, and due to the spnego authentication sequence. (Notice method == > {{OPTIONS}}) > {noformat} > 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS > URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt > ErrorMsg:'Authentication required' > 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, > accessCount=1, interval=0ms] > 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, > accessCount=1, interval=10193ms] > {noformat} > However, admins/auditors see this and can easily get confused/alerted. We > should make it obvious this is benign. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org