hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcelo Vanzin <van...@cloudera.com>
Subject Re: Enhancing AccessController
Date Thu, 12 Jul 2012 22:34:53 GMT
Hi Andrew, thanks for the feedback.

On Thu, Jul 12, 2012 at 2:56 PM, Andrew Purtell <apurtell@apache.org> wrote:
> I'd argue the entire security side of Hadoop is in need of some
> serious work regards audit. For starters, consistent audit logging
> formats: success is logged at INFO level, failure is logged via
> exception.

I won't dispute that. :-) Consistent behavior is a good thing. For
example, HDFS logs audit messages at INFO level today (IIRC), while
HBase does so at TRACE level. For starters, that means HBase audit
logs won't be available by default in most installations.

>> (i) Lack of column family information in audit logs
> Consider filing a JIRA for this as a subtask under
> https://issues.apache.org/jira/browse/HBASE-6096.

Will do.

>> (ii) The access controller does not work if authentication is disabled.
> IMHO, doing anything with authentication disabled is out of design
> scope. Reasonable people may disagree.

I don't have a strong opinion about this being a feature of the
AccessController. It can be done easily enough with a custom
coprocessor. The only thing that is kinda sketchy in the custom
coprocessor approach is the definition of "what requests map to what
required permissions", something that is baked into the
AccessController code today.

That's not too much information to replicate, but having it available
in an easier manner would help a lot here.

>> (iii) There's no easy way to customize processing of audit events.
>> Audit events are written to a log appender in a private method in
>> AccessController.java; this means anyone who wants something
>> different, like writing this data to a database, has to go through the
>> logging system to do it.
> This is consistent with how all of Hadoop does logging. I don't think
> we should roll our own. That doesn't improve the situation for system
> operators, it means they have to deal with all other parts of Hadoop
> then do something else for HBase specifically. That said,

Well, the logging path wouldn't go away; this would just be an
extension for people who have might complicated needs than just
writing to log files. We're looking at maybe providing a similar thing
for HDFS. In the end, we don't want the easy way to be any different
than it is today, but at the same time have a system where doing more
complicated things is possible.

>> I actually have a working
>> prototype for this approach on top of HBase 0.92, I can post the patch
>> somewhere if anyone is interested.
> Suggest putting it up as another subtask under
> https://issues.apache.org/jira/browse/HBASE-6096 so we can review it.

I'll play with it some more and post something.


View raw message