[jira] [Updated] (HADOOP-13693) Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log
[
https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiao Chen updated HADOOP-13693:
---
Labels: supportability (was: )
> Remove the message about HTTP OPTIONS in SPNEGO initialization message from
> kms audit log
> -
>
> Key: HADOOP-13693
> URL: https://issues.apache.org/jira/browse/HADOOP-13693
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Reporter: Xiao Chen
>Assignee: Xiao Chen
>Priority: Minor
> Labels: supportability
> Fix For: 3.0.0-alpha2
>
> Attachments: HADOOP-13693.01.patch, HADOOP-13693.02.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED
> ErrorMsg:'Authentication required' message before the OK messages. This is
> expected, and due to the spnego authentication sequence. (Notice method ==
> {{OPTIONS}})
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS
> URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
> ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera,
> accessCount=1, interval=0ms]
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera,
> accessCount=1, interval=10193ms]
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We
> should make it obvious this is benign.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-13693) Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log
[
https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiao Chen updated HADOOP-13693:
---
Resolution: Fixed
Hadoop Flags: Incompatible change,Reviewed (was: Incompatible change)
Fix Version/s: 3.0.0-alpha2
Release Note: kms-audit.log used to show an UNAUTHENTICATED message even
for successful operations, because of the OPTIONS HTTP request during SPNEGO
initial handshake. This message brings more confusion than help, and has hence
been removed.
Status: Resolved (was: Patch Available)
Committed to trunk. Thanks Andrew, Xiaoyu and Arun for the feedback!
> Remove the message about HTTP OPTIONS in SPNEGO initialization message from
> kms audit log
> -
>
> Key: HADOOP-13693
> URL: https://issues.apache.org/jira/browse/HADOOP-13693
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Reporter: Xiao Chen
>Assignee: Xiao Chen
>Priority: Minor
> Fix For: 3.0.0-alpha2
>
> Attachments: HADOOP-13693.01.patch, HADOOP-13693.02.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED
> ErrorMsg:'Authentication required' message before the OK messages. This is
> expected, and due to the spnego authentication sequence. (Notice method ==
> {{OPTIONS}})
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS
> URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
> ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera,
> accessCount=1, interval=0ms]
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera,
> accessCount=1, interval=10193ms]
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We
> should make it obvious this is benign.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-13693) Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log
[
https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiao Chen updated HADOOP-13693:
---
Summary: Remove the message about HTTP OPTIONS in SPNEGO initialization
message from kms audit log (was: Make the SPNEGO initialization OPTIONS
message in kms audit log admin-friendly)
> Remove the message about HTTP OPTIONS in SPNEGO initialization message from
> kms audit log
> -
>
> Key: HADOOP-13693
> URL: https://issues.apache.org/jira/browse/HADOOP-13693
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Reporter: Xiao Chen
>Assignee: Xiao Chen
>Priority: Minor
> Attachments: HADOOP-13693.01.patch, HADOOP-13693.02.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED
> ErrorMsg:'Authentication required' message before the OK messages. This is
> expected, and due to the spnego authentication sequence. (Notice method ==
> {{OPTIONS}})
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS
> URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
> ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera,
> accessCount=1, interval=0ms]
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera,
> accessCount=1, interval=10193ms]
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We
> should make it obvious this is benign.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
