hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13693) Make the SPNEGO initialization OPTIONS message in kms audit log admin-friendly
Date Fri, 14 Oct 2016 22:17:22 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Xiao Chen updated HADOOP-13693:
-------------------------------
    Description: 
For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED ErrorMsg:'Authentication
required' message before the OK messages. This is expected, and due to the spnego authentication
sequence. (Notice method == {{OPTIONS}})
{noformat}
2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
ErrorMsg:'Authentication required'
2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=0ms]

2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=10193ms]

{noformat}

However, admins/auditors see this and can easily get confused/alerted. We should make it obvious
this is benign.

  was:
For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED ErrorMsg:'Authentication
required' message before the OK messages. This is expected, and due to the spnego authentication
sequence. (Notice method == {{OPTIONS}})
{noformat}
2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
ErrorMsg:'Authentication required'
2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=0ms]

2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1, interval=10193ms]

{noformat}

However, admins/auditors see this and can easily get confused/alerted. We should make it obvious
this is benign, and help them focus on the real errors.


> Make the SPNEGO initialization OPTIONS message in kms audit log admin-friendly
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-13693
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13693
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>            Priority: Minor
>         Attachments: HADOOP-13693.01.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED ErrorMsg:'Authentication
required' message before the OK messages. This is expected, and due to the spnego authentication
sequence. (Notice method == {{OPTIONS}})
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1,
interval=0ms] 
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, accessCount=1,
interval=10193ms] 
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We should make
it obvious this is benign.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message