hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy Isaacson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-3535) audit logging should log denied accesses as well as permitted ones
Date Mon, 25 Jun 2012 20:34:44 GMT

    [ https://issues.apache.org/jira/browse/HDFS-3535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13400859#comment-13400859
] 

Andy Isaacson commented on HDFS-3535:
-------------------------------------

{quote}
The one audit log that doesn't have a corresponding log for failure is logFsckEvent, though
given that we get the ugi from the request it seems like that case could result in an ACE
as well right?
{quote}
the fsck audit event is logged before the fsck command is run, so it can't fail to generate
the audit event. Also fsck is special in that it's implemented as a URL fetch, so I don't
think the UGI is enforced.  This is probably a bug, and the audit logging will need to be
fixed when that bug is fixed.

{quote}
Let's use fooInternal vs fooInt to match the existing "fooInternal" methods
{quote}

That would collide with several existing uses:  concatInternal, createSymlinkInternal, startFileInternal,
renameToInternal, etc.  I specifically chose a suffix not previously used to avoid code churn.
 Perhaps a different suffix than "Int" would convey this better, LMK if you have any good
ideas.

{quote}
Normally the checks are used before the method invocation if we're doing expensive things
to create the args (eg lots of string concatenation) not to save the cost of the method invocation.
Doesn't look like that's the case here (we're not constructing args) so we could just call
logAuditEvent directly everywhere.
{quote}
There are a bunch of uses of logAuditEvent that do need to check if audit logging is enabled
before constructing log messages, etc.  I considered refactoring them all and concluded that
it was out of scope for this change.  I decided not to change the existing idiom (verbose
though it is) before refactoring all users of the interface, which should be a separate change.
                
> audit logging should log denied accesses as well as permitted ones
> ------------------------------------------------------------------
>
>                 Key: HDFS-3535
>                 URL: https://issues.apache.org/jira/browse/HDFS-3535
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: name-node
>    Affects Versions: 2.0.0-alpha
>            Reporter: Andy Isaacson
>            Assignee: Andy Isaacson
>         Attachments: hdfs-3535-1.txt, hdfs-3535.txt
>
>
> FSNamesystem.java logs an audit log entry when a user successfully accesses the filesystem:
> {code}
>       logAuditEvent(UserGroupInformation.getLoginUser(),
>                     Server.getRemoteIp(),
>                     "concat", Arrays.toString(srcs), target, resultingStat);
> {code}
> but there is no similar log when a user attempts to access the filesystem and is denied
due to permissions.  Competing systems do provide such logging of denied access attempts;
we should too.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message