zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1260) Audit logging in ZooKeeper servers.
Date Fri, 25 Aug 2017 22:17:08 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16142330#comment-16142330
] 

ASF GitHub Bot commented on ZOOKEEPER-1260:
-------------------------------------------

Github user afine commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/338#discussion_r135361252
  
    --- Diff: src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java ---
    @@ -465,6 +490,129 @@ public void processRequest(Request request) {
             }
         }
     
    +    private void addSuccessAudit(Request request,ServerCnxn cnxn, String op, String path)
{
    +        addSuccessAudit(request, cnxn, op, path, null);
    +    }
    +
    +    private void addSuccessAudit(Request request,ServerCnxn cnxn, String op, String path,
String acl) {
    +        if (ZKAuditLogger.isAuditDisabled) {
    +            return;
    +        }
    +        ZKAuditLogger.logSuccess(request.getUsers(), op, path, acl,
    +                getSessionId(cnxn), getHostAddress(cnxn));
    +    }
    +
    +    private void addFailureAudit(Request request,ServerCnxn cnxn, String op, String path)
{
    +        addFailureAudit(request, cnxn, op, path, null);
    +    }
    +
    +    private void addFailureAudit(Request request,ServerCnxn cnxn, String op, String path,
String acl) {
    +        if (ZKAuditLogger.isAuditDisabled) {
    +            return;
    +        }
    +        ZKAuditLogger.logFailure(request.getUsers(), op, path, acl,
    +                getSessionId(cnxn), getHostAddress(cnxn));
    +    }
    +
    +    private void addAuditLog(Request request, ServerCnxn cnxn, String op, String path,
String acl,
    +            Code err) {
    +        if (ZKAuditLogger.isAuditDisabled) {
    +            return;
    +        }
    +        if (err == Code.OK) {
    +            ZKAuditLogger.logSuccess(request.getUsers(), op, path, acl, getSessionId(cnxn),
    +                    getHostAddress(cnxn));
    +        } else {
    +            ZKAuditLogger.logFailure(request.getUsers(), op, path, acl, getSessionId(cnxn),
    +                    getHostAddress(cnxn));
    +        }
    +    }
    +
    +    private String getACLs(Request request)
    +    {
    +        ByteBuffer reqData = request.request.duplicate();
    +        reqData.rewind();
    +        SetACLRequest setACLRequest = new SetACLRequest();
    +        try {
    +            ByteBufferInputStream.byteBuffer2Record(reqData, setACLRequest);
    +        } catch (IOException e) {
    +            e.printStackTrace();
    +        }
    +        return ZKUtil.aclToString(setACLRequest.getAcl());
    +    }
    +
    +    private void addFailedTxnAduitLog(Request request) {
    +        if (ZKAuditLogger.isAuditDisabled) {
    +            return;
    +        }
    +        String op = AuditConstants.OP_CREATE;
    +        if (request.cnxn == null) {
    +            return;
    +        }
    +        String path=null;
    +        long sessionId = -1;
    +        String address = null;
    +        String acls = null;
    +        boolean exceptionOccured = false;
    +        ByteBuffer reqData = request.request.duplicate();
    +        reqData.rewind();
    +        try {
    +            sessionId = request.cnxn.getSessionId();
    +            switch (request.type) {
    +            case OpCode.create:
    +            case  OpCode.create2:
    +            case  OpCode.createContainer:
    +                op = AuditConstants.OP_CREATE;
    +                CreateRequest createRequest = new CreateRequest();
    +                ByteBufferInputStream.byteBuffer2Record(reqData, createRequest);
    +                path=createRequest.getPath();
    +                break;
    +            case OpCode.delete:
    +            case OpCode.deleteContainer:
    +                op = AuditConstants.OP_DELETE;
    +                //path = new String(request.request.array());
    +                DeleteRequest deleteRequest = new DeleteRequest();
    +                ByteBufferInputStream.byteBuffer2Record(reqData, deleteRequest);
    +                path=deleteRequest.getPath();
    +                break;
    +            case OpCode.setData:
    +                op = AuditConstants.OP_SETDATA;
    +                SetDataRequest setDataRequest = new SetDataRequest();
    +                ByteBufferInputStream.byteBuffer2Record(reqData, setDataRequest);
    +                path=setDataRequest.getPath();
    +                break;
    +            case OpCode.setACL:
    +                op = AuditConstants.OP_SETACL;
    +                SetACLRequest setACLRequest = new SetACLRequest();
    +                ByteBufferInputStream.byteBuffer2Record(reqData, setACLRequest);
    +                path=setACLRequest.getPath();
    +                acls = ZKUtil.aclToString(setACLRequest.getAcl());
    +                break;
    +            case OpCode.multi:
    +                op = AuditConstants.OP_MULTI_OP;
    +                break;
    +            case OpCode.reconfig:
    +                op = AuditConstants.OP_RECONFIG;
    +                break;
    +            }
    +            if (request.cnxn != null
    +                    && request.cnxn.getRemoteSocketAddress() != null
    +                    && request.cnxn.getRemoteSocketAddress().getAddress() !=
null) {
    +                address = request.cnxn.getRemoteSocketAddress().getAddress()
    +                        .getHostAddress();
    +            }
    +        } catch (Throwable e) {
    +            exceptionOccured = true;
    +            LOG.error("Failed to audit log request {} failure", request.type, e);
    +        }
    +        if (!exceptionOccured) {
    +            if (ZKAuditLogger.isAuditEnabled) {
    --- End diff --
    
    nit: we can combine these if statements
    
    alternatively you can return in the catch block


> Audit logging in ZooKeeper servers.
> -----------------------------------
>
>                 Key: ZOOKEEPER-1260
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1260
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Mahadev konar
>            Assignee: Mohammad Arshad
>             Fix For: 3.5.4, 3.6.0
>
>         Attachments: ZOOKEEPER-1260-01.patch, zookeeperAuditLogs.pdf
>
>
> Lots of users have had questions on debugging which client changed what znode and what
updates went through a znode. We should add audit logging as in Hadoop (look at Namenode Audit
logging) to log which client changed what in the zookeeper servers. This could just be a log4j
audit logger.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message