[ https://issues.apache.org/jira/browse/HBASE-27528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17655803#comment-17655803 ]
Beibei Zhao edited comment on HBASE-27528 at 1/8/23 3:38 PM: ------------------------------------------------------------- [~bbeaudreault] Thanks for your reply! You are right! I found a path from *revoke* to *AccessChecker* (log for deny or allow for a request). So there is a *log duplication* issue, I' ll commit the code later. was (Author: JIRAUSER296385): [~bbeaudreault] Thanks for your reply! You are right! I found a path from *revoke* to *AccessChecker * (log for deny or allow for a request). So there is a log duplication issue, I' ll commit the code later. > Add audit logs in MasterRpcServices > ----------------------------------- > > Key: HBASE-27528 > URL: https://issues.apache.org/jira/browse/HBASE-27528 > Project: HBase > Issue Type: Improvement > Components: logging, master, rpc, security > Reporter: Beibei Zhao > Priority: Major > > MasterRpcServices record audit log in privileged operations (grant, revoke) > and vital apis like "execMasterService". > > {code:java} > public ClientProtos.CoprocessorServiceResponse execMasterService(final > RpcController controller, > ...... > String remoteAddress = > RpcServer.getRemoteAddress().map(InetAddress::toString).orElse(""); > User caller = RpcServer.getRequestUser().orElse(null); > AUDITLOG.info("User {} (remote address: {}) master service request for > {}.{}", caller, > remoteAddress, serviceName, methodName); > return CoprocessorRpcUtils.getResponse(execResult, > HConstants.EMPTY_BYTE_ARRAY); > } catch (IOException ie) { > throw new ServiceException(ie); > } > } > {code} > There are many "write" operations like "deleteTable", which may cause > security problems, should also record an audit log. > {code:java} > public DeleteTableResponse deleteTable(RpcController controller, > DeleteTableRequest request) > throws ServiceException { > try { > long procId = > server.deleteTable(ProtobufUtil.toTableName(request.getTableName()), > request.getNonceGroup(), request.getNonce()); > // an audit log is required here. > return DeleteTableResponse.newBuilder().setProcId(procId).build(); > } catch (IOException ioe) { > throw new ServiceException(ioe); > } > } > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)