hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Xiao Chen <x...@cloudera.com>
Subject Re: Why aren't delegation token operations audit logged?
Date Mon, 14 Aug 2017 22:43:39 GMT
Thanks a lot Daryn! Filed https://issues.apache.org/jira/browse/HDFS-12300.


-Xiao

On Mon, Aug 14, 2017 at 12:46 PM, Daryn Sharp <daryn@oath.com> wrote:

> I don't think there's a historical reason for not logging token ops, and
> have no objections to logging them – as long as the log line does not
> contain anything like the identifier/password.  My first thought was
> logging overhead but I checked our clusters and the rate of logging would
> be insignificant.
>
> Daryn
>
> On Mon, Aug 14, 2017 at 1:52 PM, Xiao Chen <xiao@cloudera.com> wrote:
>
>> Hello,
>>
>> When inspecting the code, I found that the following methods in
>> FSNamesystem are not audit logged:
>>
>>    - getDelegationToken
>>    - renewDelegationToken
>>    - cancelDelegationToken
>>
>> The audit log itself does have a logTokenTrackingId
>> <https://github.com/apache/hadoop/blob/branch-3.0.0-alpha4/
>> hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/
>> hadoop/hdfs/server/namenode/FSNamesystem.java#L7432>
>> field
>> to additionally log some details when a token is used for authentication.
>> But why aren't the token operations themselves audit logged?
>>
>> I checked with ATM hoping for some history, but no known to him. Anyone
>> know the reason to not audit log these?
>>
>> Thanks,
>> -Xiao
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message