[jira] [Updated] (HADOOP-13693) Remove the message about HTTP OPTIONS in SPNEGO initialization message from kms audit log

Tue, 18 Oct 2016 18:30:07 -0700 

     [ 
https://issues.apache.org/jira/browse/HADOOP-13693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiao Chen updated HADOOP-13693:
-------------------------------
       Resolution: Fixed
     Hadoop Flags: Incompatible change,Reviewed  (was: Incompatible change)
    Fix Version/s: 3.0.0-alpha2
     Release Note: kms-audit.log used to show an UNAUTHENTICATED message even 
for successful operations, because of the OPTIONS HTTP request during SPNEGO 
initial handshake. This message brings more confusion than help, and has hence 
been removed.
           Status: Resolved  (was: Patch Available)

Committed to trunk. Thanks Andrew, Xiaoyu and Arun for the feedback!

> Remove the message about HTTP OPTIONS in SPNEGO initialization message from 
> kms audit log
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13693
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13693
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>            Priority: Minor
>             Fix For: 3.0.0-alpha2
>
>         Attachments: HADOOP-13693.01.patch, HADOOP-13693.02.patch
>
>
> For a successful kms operation, kms-audit.log shows an UNAUTHENTICATED 
> ErrorMsg:'Authentication required' message before the OK messages. This is 
> expected, and due to the spnego authentication sequence. (Notice method == 
> {{OPTIONS}})
> {noformat}
> 2016-01-31 21:07:04,671 UNAUTHENTICATED RemoteHost:10.0.2.15 Method:OPTIONS 
> URL:https://quickstart.cloudera:16000/kms/v1/keyversion/ZJfn4lfNXxy068gqEmhxRCFljzoKEKDDR9ZJLO32vqq/_eek?eek_op=decrypt
>  ErrorMsg:'Authentication required'
> 2016-01-31 21:07:04,911 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, 
> accessCount=1, interval=0ms] 
> 2016-01-31 21:07:15,104 OK[op=DECRYPT_EEK, key=cloudera, user=cloudera, 
> accessCount=1, interval=10193ms] 
> {noformat}
> However, admins/auditors see this and can easily get confused/alerted. We 
> should make it obvious this is benign.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to