Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B85BFDED4 for ; Wed, 29 Aug 2012 07:19:11 +0000 (UTC) Received: (qmail 2995 invoked by uid 500); 29 Aug 2012 07:19:11 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 2865 invoked by uid 500); 29 Aug 2012 07:19:10 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 2559 invoked by uid 99); 29 Aug 2012 07:19:09 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Aug 2012 07:19:09 +0000 Date: Wed, 29 Aug 2012 18:19:08 +1100 (NCT) From: "Andy Isaacson (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: <862584184.10789.1346224749017.JavaMail.jiratomcat@arcas> In-Reply-To: <1458184494.109034.1343353057346.JavaMail.jiratomcat@issues-vm> Subject: [jira] [Updated] (HDFS-3733) Audit logs should include WebHDFS access MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-3733?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andy Isaacson updated HDFS-3733: -------------------------------- Attachment: hdfs-3733-1.txt Attaching new patch, removing the need for the ThreadLocal curClient by simply using NamenodeWebHdfsMethods#REMOTE_ADDRESS. Various other cleanups, and add test showing that Hftp is also audited. > Audit logs should include WebHDFS access > ---------------------------------------- > > Key: HDFS-3733 > URL: https://issues.apache.org/jira/browse/HDFS-3733 > Project: Hadoop HDFS > Issue Type: Bug > Components: webhdfs > Affects Versions: 2.0.0-alpha > Reporter: Andy Isaacson > Assignee: Andy Isaacson > Attachments: hdfs-3733-1.txt, hdfs-3733.txt > > > Access via WebHdfs does not result in audit log entries. It should. > {noformat} > % curl "http://nn1:50070/webhdfs/v1/user/adi/hello.txt?op=GETFILESTATUS" > {"FileStatus":{"accessTime":1343351432395,"blockSize":134217728,"group":"supergroup","length":12,"modificationTime":1342808158399,"owner":"adi","pathSuffix":"","permission":"644","replication":1,"type":"FILE"}} > {noformat} > and observe that no audit log entry is generated. > Interestingly, OPEN requests do not generate audit log entries when the NN generates the redirect, but do generate audit log entries when the second phase against the DN is executed. > {noformat} > % curl -v 'http://nn1:50070/webhdfs/v1/user/adi/hello.txt?op=OPEN' > ... > < HTTP/1.1 307 TEMPORARY_REDIRECT > < Location: http://dn01:50075/webhdfs/v1/user/adi/hello.txt?op=OPEN&namenoderpcaddress=nn1:8020&offset=0 > ... > % curl -v 'http://dn01:50075/webhdfs/v1/user/adi/hello.txt?op=OPEN&namenoderpcaddress=nn1:8020' > ... > < HTTP/1.1 200 OK > < Content-Type: application/octet-stream > < Content-Length: 12 > < Server: Jetty(6.1.26.cloudera.1) > < > hello world > {noformat} > This happens because {{DatanodeWebHdfsMethods#get}} uses {{DFSClient#open}} thereby triggering the existing {{logAuditEvent}} code. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira