Return-Path: 
 <mapreduce-issues-return-11465-apmail-hadoop-mapreduce-issues-archive=hadoop.apache.org@hadoop.apache.org>
Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Received: (qmail 96504 invoked from network); 11 Mar 2010 10:09:24 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 11 Mar 2010 10:09:24 -0000
Received: (qmail 29031 invoked by uid 500); 11 Mar 2010 10:08:51 -0000
Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org
Received: (qmail 29000 invoked by uid 500); 11 Mar 2010 10:08:51 -0000
Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:mapreduce-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:mapreduce-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:mapreduce-issues@hadoop.apache.org>
List-Id: <mapreduce-issues.hadoop.apache.org>
Reply-To: mapreduce-issues@hadoop.apache.org
Delivered-To: mailing list mapreduce-issues@hadoop.apache.org
Received: (qmail 28992 invoked by uid 99); 11 Mar 2010 10:08:50 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Mar 2010 10:08:50 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Mar 2010 10:08:48 +0000
Received: from brutus.apache.org (localhost [127.0.0.1])
	by brutus.apache.org (Postfix) with ESMTP id 7421729A0011
	for <mapreduce-issues@hadoop.apache.org>;
 Thu, 11 Mar 2010 10:08:27 +0000 (UTC)
Message-ID: <756247337.200361268302107474.JavaMail.jira@brutus.apache.org>
Date: Thu, 11 Mar 2010 10:08:27 +0000 (UTC)
From: "Amar Kamat (JIRA)" <jira@apache.org>
To: mapreduce-issues@hadoop.apache.org
Subject: [jira] Commented: (MAPREDUCE-1543) Log messages of JobACLsManager
 should use security logging of HADOOP-6586
In-Reply-To: <1429024038.26491267418227192.JavaMail.jira@brutus.apache.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
X-Virus-Checked: Checked by ClamAV on apache.org


    [ https://issues.apache.org/jira/browse/MAPREDUCE-1543?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12843992#action_12843992 ] 

Amar Kamat commented on MAPREDUCE-1543:
---------------------------------------

bq. Is the format also similar to HDFS audit logs ? 
The format for audit logs used by hdfs is hdfs friendly. They log 
{noformat}
ugi
remote IP
command
src path
dst path (optional)
permissions (optional)
{noformat}

We might try to come up with a  model which both can use (and add it to commons). So here is how the mapping from hdfs audit-log-format to mapreduce audit-log-format might look like
||hdfs||mapreduce||
|ugi|agent|
|remote-ip|-|
|command|operation|
|src-path|target|
|dst path|-|
|permissions|-|
|-|result|
|-|reason|

So here is a straight forward merge :
{noformat}
<agent> <remote-ip> <operation> <target> <permissions*> <result*> <reason*>
* means optional
{noformat}

So for hdfs, target will be src-path:dest-path. And for mapreduce, we could skip permissions or print acls. But the only point that doesnt fit this model for mapreduce is the job-initialization event. For job-initialization, what should be the value of remote-ip?

Not sure if we are doing an overfit. So for now I think we can keep it simple and have different models for hdfs and mapreduce. 

bq. Do we need to include host IP of the requestor ? I don't even know if it is possible to get this information though.
I am not sure how that will help. I think username should suffice. It is possible to get the IP of the caller using _o.a.h.ipc.Server.getRemoteIp()_.

bq. One concern with implementation is - if some of this logging is happening under the jobtracker lock, it might impact performance adversely. Can we plan to handle this ?
The idea here is to replace  LOG.* statements with AUDIT_LOG.*. So in terms of logging overhead, it should be same. In my initial implementation exercise, I have not seen a case where I had to add extra log lines. Let me check if this needs to be addressed. 


> Log messages of JobACLsManager should use security logging of HADOOP-6586
> -------------------------------------------------------------------------
>
>                 Key: MAPREDUCE-1543
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1543
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: security
>            Reporter: Vinod K V
>             Fix For: 0.22.0
>
>
> {{JobACLsManager}} added in MAPREDUCE-1307 logs the successes and failures w.r.t job-level authorization in the corresponding Daemons' logs. The log messages should instead use security logging of HADOOP-6586.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.