hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13693) Make the SPNEGO initialization OPTIONS message in kms audit log more admin-friendly
Date Fri, 07 Oct 2016 00:38:21 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15553696#comment-15553696
] 

Xiao Chen commented on HADOOP-13693:
------------------------------------

This is audit log, so incompatible by default.
We have several choices to improve:
# since this is an {{OPTIONS}} http method, maybe we can hence not log it into audit logs.
# change the {{AuthenticationFilter}} to no longer return an error for this type of requests.
# update the audit message to give better context.

IMO logging is theoretically correct, and changing the server code feels risky. So posting
a patch to do #3 here.
[~xyao], I see you helped resolving the linked HDFS-10428. What's your opinion about this
one? Also ping [~asuresh] for input. Thank you both in advance.

> Make the SPNEGO initialization OPTIONS message in kms audit log more admin-friendly
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-13693
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13693
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>            Priority: Minor
>         Attachments: HADOOP-13693.01.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED ErrorMsg:'Authentication
required' message before the OK messages. This is expected, and due to the spnego authentication
sequence.
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1,
interval=0ms] 
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1,
interval=10193ms] 
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We should make
it obvious this is benign, and help them focus on the real errors.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message