Return-Path: X-Original-To: apmail-hbase-dev-archive@www.apache.org Delivered-To: apmail-hbase-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6438CD3A6 for ; Thu, 12 Jul 2012 23:42:28 +0000 (UTC) Received: (qmail 83039 invoked by uid 500); 12 Jul 2012 23:42:27 -0000 Delivered-To: apmail-hbase-dev-archive@hbase.apache.org Received: (qmail 82986 invoked by uid 500); 12 Jul 2012 23:42:27 -0000 Mailing-List: contact dev-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hbase.apache.org Delivered-To: mailing list dev@hbase.apache.org Received: (qmail 82977 invoked by uid 99); 12 Jul 2012 23:42:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Jul 2012 23:42:27 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of vanzin@cloudera.com designates 209.85.220.169 as permitted sender) Received: from [209.85.220.169] (HELO mail-vc0-f169.google.com) (209.85.220.169) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Jul 2012 23:42:21 +0000 Received: by vcbfl10 with SMTP id fl10so2395553vcb.14 for ; Thu, 12 Jul 2012 16:42:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=VSP/fZFM1ad/RIMov2HZELiItKbebjt4smJKA+OodpU=; b=MQzSqde4r0PZbGh1pVaAVtEr41isT/voGhef9NGXv21oi+Sh1vsdJQDB/6hjETxEHR Z8f8QALITRbu0ZUhaE6PS/L1o+3/ETDtxyZ/31XcL65hOfb25+DKtCVvzvlpj7SmEORF MNcNLD7JVbfPOydMFcGRFE3Hb3U/5bDxe5ELOiVry6hvWLSSju/JitN4aohZT4MSTk2g n5GWTBmO1/iJcE1nsatCw6IV/kF0JQbJ2WdRAgBW0JRNEaeP36L4lK2m3g7dVUrh03CL 5ZlwMYlLQWcQtNyIQDNsl5G+qnCsrj9nO/JnOE8289uaQXeIROB/EWSlXT7/UgBfFV94 J+ug== MIME-Version: 1.0 Received: by 10.52.24.179 with SMTP id v19mr44359vdf.127.1342136520298; Thu, 12 Jul 2012 16:42:00 -0700 (PDT) Received: by 10.220.83.206 with HTTP; Thu, 12 Jul 2012 16:42:00 -0700 (PDT) In-Reply-To: References: Date: Thu, 12 Jul 2012 16:42:00 -0700 Message-ID: Subject: Re: Enhancing AccessController From: Marcelo Vanzin To: dev@hbase.apache.org Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQnq9kTMW2ecJPWcKqNsAkvA9GWLfDkON4ZTSUJ3JSV4TGbULMNtI32PYPPdq/0A+4FJtcXC X-Virus-Checked: Checked by ClamAV on apache.org Hello, On Thu, Jul 12, 2012 at 3:54 PM, Andrew Purtell wrote: >> For example, HDFS logs audit messages at INFO level today (IIRC), while HBase does so at TRACE level. > This has been fixed. Ah, good to know. It seems our git mirrors are a little bit out of date. >> Well, the logging path wouldn't go away; this would just be an >> extension for people who have might complicated needs than just >> writing to log files. We're looking at maybe providing a similar thing >> for HDFS. In the end, we don't want the easy way to be any different >> than it is today, but at the same time have a system where doing more >> complicated things is possible. > > This is the right approach, IMHO, build it into Hadoop core and then > we can use it in a manner consistent with how core does. My concern with trying to come up with a common solution for core Hadoop and HBase is that the data being logged is fundamentally different. Sure, you could have a silly logger that just takes a string, but that's no better than hacking through the logging system, which can be done today. A proper interface would have proper types provided to the logger (e.g., the "AuthResult" class currently private in AccessController). And those cannot be shared among different services; maybe some base type with common audit-related fields, but not much more than that. Anyway, I'll clean up my code and post it on Jira instead of elongating this thread. :-) -- Marcelo