accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-3946) Not all accumulo events are audited for Audit logging
Date Fri, 07 Aug 2015 23:57:45 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-3946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14662671#comment-14662671
] 

Josh Elser commented on ACCUMULO-3946:
--------------------------------------

I see. I assumed your success/failure columns in the table you provided earlier were for whether
or not the operation was allowed. Given what you actually meant, none of the audit operations
currently work how you want. The audit success/failure is a permitted or not permitted for
the user to invoke some method (e.g. createTable)

As such, I don't think I feel comfortable changing how auditing fundamentally works in 1.5.

I don't think audit should be bleeding down into the low-level FATE operations either. We
should audit the operation at the high-level, e.g. MasterClientServiceHandler (via AuditedSecurityOperation).
In 1.5, I think this is the simplest example that audits how I think it should be done:

{code}
    @Override
    public void setMasterGoalState(TInfo info, TCredentials c, MasterGoalState state) throws
ThriftSecurityException, TException {
      security.canPerformSystemActions(c);

      Master.this.setMasterGoalState(state);
    }
{code}

Very simple: the RPC implementation audits the user making the call, and then performs the
action if the user was allowed (in this case, canPerformSystemAction() should throw an exception
if the user was disallowed. Throwing an exception and not checking a boolean value is a little
obtuse, but ignore that :D)

> Not all accumulo events are audited for Audit logging
> -----------------------------------------------------
>
>                 Key: ACCUMULO-3946
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3946
>             Project: Accumulo
>          Issue Type: Bug
>    Affects Versions: 1.5.3
>            Reporter: James Mello
>            Assignee: James Mello
>             Fix For: 1.5.4
>
>
> Currently accumulo does not log all the major events such as table creation and permissions
changes. Please modify the existing logging to include missing auditing. Note this is related
to ticket ACCUMUO-3939.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message