Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: hdfs-issues@hadoop.apache.org
Date: Wed, 1 Aug 2012 23:54:03 +0000 (UTC)
From: "Andy Isaacson (JIRA)" <jira@apache.org>
To: hdfs-issues@hadoop.apache.org
Message-ID: <1173513818.3090.1343865243130.JavaMail.jiratomcat@issues-vm>
In-Reply-To: <690610644.72037.1342648416949.JavaMail.jiratomcat@issues-vm>
Subject: [jira] [Commented] (HDFS-3680) Allows customized audit logging in
 HDFS FSNamesystem
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


    [ https://issues.apache.org/jira/browse/HDFS-3680?page=3Dcom.atlassian.=
jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D13427=
016#comment-13427016 ]=20

Andy Isaacson commented on HDFS-3680:
-------------------------------------

Given the designed use case for audit loggers -- they are creating business=
 critical immutable logs of filesystem access -- I do not agree that the NN=
 should always continue to operate when an audit logger fails.

The purpose of audit logging is, "*every* time a user accesses a file, an a=
udit log entry is generated".  Not "well, most of the time, unless some sys=
tem had a hiccup, in which case we just silently allow access without audit=
 logs".  Think of it as similar to an authentication system; if PAM is unab=
le to access the LDAP server, it returns DENY, not ALLOW.

Yes, this adds points of failure to the system -- if a fail-closed audit lo=
g fails, then the NN will stop allowing access. For customers that need thi=
s capability, that may be an acceptable trade-off; that's a decision that s=
hould be left to the customer, and for which we should establish sensible d=
efaults.

I think the simplest solution is for the NN to simply shutdown if the Audit=
Logger fails.  This probably needs a warning in fairly big letters.

If there's user demand for fail-open audit logs, that can be done in the Au=
ditLogger implementation, by catching all exceptions and swallowing them.  =
Or we could add separate configurations for "fallible audit loggers" and "c=
ritical audit loggers".

(I'm willing to listen to contrary opinions in this area -- if you think I'=
m wrong about this, please do say so!)
               =20
> Allows customized audit logging in HDFS FSNamesystem
> ----------------------------------------------------
>
>                 Key: HDFS-3680
>                 URL: https://issues.apache.org/jira/browse/HDFS-3680
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: name-node
>    Affects Versions: 2.0.0-alpha
>            Reporter: Marcelo Vanzin
>            Assignee: Marcelo Vanzin
>            Priority: Minor
>         Attachments: accesslogger-v1.patch, accesslogger-v2.patch, hdfs-3=
680-v3.patch, hdfs-3680-v4.patch, hdfs-3680-v5.patch
>
>
> Currently, FSNamesystem writes audit logs to a logger; that makes it easy=
 to get audit logs in some log file. But it makes it kinda tricky to store =
audit logs in any other way (let's say a database), because it would requir=
e the code to implement a log appender (and thus know what logging system i=
s actually being used underneath the fa=C3=A7ade), and parse the textual lo=
g message generated by FSNamesystem.
> I'm attaching a patch that introduces a cleaner interface for this use ca=
se.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrato=
rs: https://issues.apache.org/jira/secure/ContactAdministrators!default.jsp=
a
For more information on JIRA, see: http://www.atlassian.com/software/jira