hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colin Patrick McCabe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-9395) getContentSummary and other FS operations are audit logged as success even if failed
Date Tue, 02 Feb 2016 21:43:39 GMT

    [ https://issues.apache.org/jira/browse/HDFS-9395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15129094#comment-15129094
] 

Colin Patrick McCabe commented on HDFS-9395:
--------------------------------------------

So, the big question here is what should go in the audit log?  All failures, or just "permission
denied" failures?  Or, to put it a different way, if someone attempts to do something and
it fails because a file doesn't exist, is that worth an audit log entry?

We are currently inconsistent on this point.  For example, {{concat}}, {{getContentSummary}},
{{addCacheDirective}}, and {{setErasureEncodingPolicy}} create an audit log entry for all
failures, but {{setOwner}}, {{delete}}, and {{setAclEntries}} attempt to only create an entry
for {{AccessControlException}}-based failures.  There are a few operations, like {{allowSnapshot}},
{{disallowSnapshot}}, and {{startRollingUpgrade}} that never create audit log failure entries
at all.  They simply log nothing for any failure, and log success for a successful operation.

So to summarize, operations fall into 3 categories:
1. audit-log *all* failures
2. audit-log only {{AccessControlException}} failures
3. *never* audit-log failures

Category #3 seems like a clear violation of what people expect out of the audit log, since
it will leave out all the unsuccessful attempts to do some privileged operation.  So perhaps
the category #3 operations are clearly buggy.  The question then becomes, is the category
#1 or #2 interpretation correct?  One potential issue I see with category #2 is that if there
is some failure that ultimately is permissions-related, but which fails to generate the specific
{{AccessControlException}} subclass of exception, we will miss it.  So category #1 operations
are more robust against changes in the exception handling.

> getContentSummary and other FS operations are audit logged as success even if failed
> ------------------------------------------------------------------------------------
>
>                 Key: HDFS-9395
>                 URL: https://issues.apache.org/jira/browse/HDFS-9395
>             Project: Hadoop HDFS
>          Issue Type: Bug
>            Reporter: Kihwal Lee
>            Assignee: Kuhu Shukla
>         Attachments: HDFS-9395.001.patch, HDFS-9395.002.patch
>
>
> Audit logging is in the fainally block along with the lock unlocking, so it is always
logged as success even for cases like FileNotFoundException is thrown.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message