Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E0C3D17545 for ; Tue, 17 Mar 2015 01:03:13 +0000 (UTC) Received: (qmail 3309 invoked by uid 500); 17 Mar 2015 01:03:13 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 3264 invoked by uid 500); 17 Mar 2015 01:03:13 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 3252 invoked by uid 99); 17 Mar 2015 01:03:13 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Mar 2015 01:03:13 +0000 Date: Tue, 17 Mar 2015 01:03:13 +0000 (UTC) From: "Srikanth Srungarapu (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-13235) Revisit the security auditing semantics. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-13235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364339#comment-14364339 ] Srikanth Srungarapu commented on HBASE-13235: --------------------------------------------- Relevant excerpts from audit logs relevant to the changes: {code} 2015-03-16 17:49:29,165 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ssrungarapu; reason: Namespace permission granted; remote address: /192.168.1.5; request: createTable; context: (user=ssrungarapu, scope=default, params=[namespace=default,table=default:test,family=f1],action=CREATE) 2015-03-16 17:49:29,173 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ssrungarapu; reason: All users allowed; remote address: /192.168.1.5; request: get; context: (user=ssrungarapu, scope=hbase:meta, family=table:state, params=[table=hbase:meta,family=table:state],action=READ) 2015-03-16 17:50:05,308 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ssrungarapu; reason: Global check allowed; remote address: /192.168.1.5; request: createNamespace; context: (user=ssrungarapu, scope=GLOBAL, params=[namespace=ns],action=ADMIN) 2015-03-16 17:50:16,376 TRACE SecurityLogger.org.apache.hadoop.hbase.security.access.AccessController: Access allowed for user ssrungarapu; reason: Table permission granted; remote address: /192.168.1.5; request: addColumn; context: (user=ssrungarapu, scope=default:test, params=[table=default:test,family=f2],action=ADMIN) {code} > Revisit the security auditing semantics. > ---------------------------------------- > > Key: HBASE-13235 > URL: https://issues.apache.org/jira/browse/HBASE-13235 > Project: HBase > Issue Type: Improvement > Reporter: Srikanth Srungarapu > Assignee: Srikanth Srungarapu > Attachments: HBASE-13235.patch, HBASE-13235_v2.patch > > > More specifically, the following things need a closer look. (Will include more based on feedback and/or suggestions) > * Table name (say test) instead of fully qualified table name(default:test) being used. > * Right now, we're using the scope to be similar to arguments for operation. Would be better to decouple the arguments for operation and scope involved in checking. For e.g. say for createTable, we have the following audit log > {code} > Access denied for user esteban; reason: Insufficient permissions; remote address: /10.20.30.1; request: createTable; context: (user=srikanth@XXX, scope=default, action=CREATE) > {code} > The scope was rightly being used as default namespace, but we're missing out the information like operation params for CREATE which we used to log prior to HBASE-12511. > Would love to hear inputs on this! -- This message was sent by Atlassian JIRA (v6.3.4#6332)