hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tristan Stevens (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13903) KMS does not provide any useful debug information
Date Thu, 15 Dec 2016 20:04:58 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15752370#comment-15752370
] 

Tristan Stevens commented on HADOOP-13903:
------------------------------------------

I've updated the patch to remove the {{ugi.getGroupNames()}}. The usernames are all over the
logs in most things anyway (good examples in NameNode logs, Hive Server2 or in Apache Sentry
logs, and the ACLs are already in the logs. Of course you'd only do this in a controlled scenario
- you'd hope that only an authorised user would be able to change the log4j.properties. Personally
I'd rather keep the ugi.getGroupNames in there, but happy to cede to your judgement there.

bq. Then I guess, we should should call KMSAudit::unauthorized() there if the check fails.

I agree with that, however we'd need to add a new method to KMSAudit as there is no unauthorized
method that takes KeyOpType - I propose that goes in a separate JIRA, although I can add that
in here if you'd like?



> KMS does not provide any useful debug information
> -------------------------------------------------
>
>                 Key: HADOOP-13903
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13903
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.9.0, 3.0.0-alpha2
>            Reporter: Tristan Stevens
>            Assignee: Tristan Stevens
>            Priority: Minor
>         Attachments: HADOOP-13903-2.patch, HADOOP-13903-3.patch, HADOOP-13903.patch
>
>
> At the moment there is no debug or trace level logs generated for KMS authorisation decisions.
In order for users to understand what is going on in given scenarios this would be invaluable.
> Code should endeavour to keep as much work off the sunny-day-code-path as much as possible.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message