zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1260) Audit logging in ZooKeeper servers.
Date Fri, 25 Aug 2017 22:17:09 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16142333#comment-16142333
] 

ASF GitHub Bot commented on ZOOKEEPER-1260:
-------------------------------------------

Github user afine commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/338#discussion_r135345935
  
    --- Diff: src/docs/src/documentation/content/xdocs/zookeeperAuditLogs.xml ---
    @@ -0,0 +1,205 @@
    +<?xml version="1.0" encoding="UTF-8"?>
    +<!--
    +  Copyright 2002-2004 The Apache Software Foundation
    +
    +  Licensed under the Apache License, Version 2.0 (the "License");
    +  you may not use this file except in compliance with the License.
    +  You may obtain a copy of the License at
    +
    +      http://www.apache.org/licenses/LICENSE-2.0
    +
    +  Unless required by applicable law or agreed to in writing, software
    +  distributed under the License is distributed on an "AS IS" BASIS,
    +  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    +  See the License for the specific language governing permissions and
    +  limitations under the License.
    +-->
    +<!DOCTYPE article PUBLIC "-//OASIS//DTD Simplified DocBook XML V1.0//EN"
    +"http://www.oasis-open.org/docbook/xml/simple/1.0/sdocbook.dtd">
    +<article id="ar_auditLogs">
    +  <title>ZooKeeper Audit Logging</title>
    +  <articleinfo>
    +    <legalnotice>
    +      <para>Licensed under the Apache License, Version 2.0 (the "License");
    +      you may not use this file except in compliance with the License. You may
    +      obtain a copy of the License at <ulink
    +      url="http://www.apache.org/licenses/LICENSE-2.0">http://www.apache.org/licenses/LICENSE-2.0</ulink>.</para>
    +
    +      <para>Unless required by applicable law or agreed to in writing,
    +      software distributed under the License is distributed on an "AS IS"
    +      BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    +      implied. See the License for the specific language governing permissions
    +      and limitations under the License.</para>
    +    </legalnotice>
    +
    +    <abstract>
    +        <para>This document contains information about Audit Logs in ZooKeeper.</para>
    +    </abstract>
    +  </articleinfo>
    +  <section id="ch_auditLogs">
    +    <title>ZooKeeper Audit Logs</title>
    +    <para>Apache ZooKeeper supports audit logs form version 3.5.4. By default audit
logs are disabled. To enable audit
    +    logs configure audit.enable=true in conf/zoo.cfg. Audit logs are not logged on all
the ZooKeeper servers, but logged
    +    only on the servers where client is connected as depicted in bellow figure.</para>
    +    <mediaobject id="fg_audit" >
    +        <imageobject>
    +            <imagedata fileref="images/zkAuditLogs.jpg"/>
    +        </imageobject>
    +    </mediaobject>
    +    <para>The audit log captures the detailed information for the operations that
are selected to be audited. The audit
    +    information is written as a set of key=value pairs for the following keys.</para>
    +    <table>
    +        <title>Audit Log Content</title>
    +        <tgroup cols="5" align="left" colsep="1" rowsep="4">
    +            <thead>
    +                <row>
    +                    <entry>Key</entry>
    +                    <entry>Value</entry>
    +                </row>
    +            </thead>
    +            <tbody>
    +                <row>
    +                    <entry>session</entry>
    +                    <entry>client session id</entry>
    +                </row>
    +                <row>
    +                    <entry>user</entry>
    +                    <entry>
    +                        comma separated list of users who are associate with a client
session. To know who is taken as user in audit logs
    +                        refer section
    +                        <xref linkend="ch_zkAuditUser"/>
    +                    </entry>
    +                </row>
    +                <row>
    +                    <entry>ip</entry>
    +                    <entry>client IP address</entry>
    +                </row>
    +                <row>
    +                    <entry>operation</entry>
    +                    <entry>any one of the selected operations for audit. Possible
values are
    +                        (serverStart| serverStop| create| delete| setData| setAcl| multiOperation|
reconfig| ephemeralZNodeDeleteOnSessionClose)
    +                    </entry>
    +                </row>
    +                <row>
    +                    <entry>znode</entry>
    +                    <entry>path of the znode</entry>
    +                </row>
    +                <row>
    +                    <entry>acl</entry>
    +                    <entry>String representation of znode ACL like cdrwa(create,
delete,read, write, admin). This is logged
    +                        only for setAcl operation</entry>
    +                </row>
    +                <row>
    +                    <entry>result</entry>
    +                    <entry>result of the operation. Possible values are (success|failure|invoked).
Result "invoked" is used
    +                        for serverStop operation because stop is logged before ensuring
that server actually stopped.
    +                    </entry>
    +                </row>
    +            </tbody>
    +        </tgroup>
    +    </table>
    +    <para>Below are sample audit logs for all operations, where client is connected
from 192.168.1.2, client principal is
    +        zkcli@HADOOP.COM, server principal is zookeeper/192.168.1.3@HADOOP.COM</para>
    +    <programlisting>
    +        user=zookeeper/192.168.1.3 operation=serverStart   result=success
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=create    znode=/a    result=success
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=create    znode=/a    result=failure
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=setData   znode=/a    result=failure
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=setData   znode=/a    result=success
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=setAcl    znode=/a    acl=world:anyone:cdrwa  result=failure
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=setAcl    znode=/a    acl=world:anyone:cdrwa  result=success
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=create    znode=/b    result=success
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=setData   znode=/b    result=success
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=delete    znode=/b    result=success
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=multiOperation    result=failure
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=delete    znode=/a    result=failure
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=delete    znode=/a    result=success
    +        session=0x19344730001   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=create    znode=/ephemral result=success
    +        session=0x19344730001   user=zookeeper/192.168.1.3   operation=ephemeralZNodeDeletionOnSessionCloseOrExpire
 znode=/ephemral result=success
    +        session=0x19344730000   user=192.168.1.2,zkcli@HADOOP.COM  ip=192.168.1.2   
operation=reconfig  znode=/zookeeper/config result=success
    +        user=zookeeper/192.168.1.3 operation=serverStop    result=invoked
    +    </programlisting>
    +  </section>
    +  <section id="ch_auditConfig">
    +    <title>ZooKeeper Audit Log Configuration</title>
    +    <para>By default audit logs are disabled. To enable audit logs configure audit.enable=true
in conf/zoo.cfg. Audit
    +        logging is done using log4j. Following is the default log4j configuration for
audit logs in conf/log4j.properties
    +    </para>
    +    <programlisting>
    +        #
    +        # zk audit logging
    +        #
    +        zookeeper.auditlog.file=zookeeper_audit.log
    +        zookeeper.auditlog.threshold=INFO
    +        audit.logger=INFO, RFAAUDIT
    +        log4j.logger.org.apache.zookeeper.audit.ZKAuditLogger=${audit.logger}
    +        log4j.additivity.org.apache.zookeeper.audit.ZKAuditLogger=false
    +        log4j.appender.RFAAUDIT=org.apache.log4j.RollingFileAppender
    +        log4j.appender.RFAAUDIT.File=${zookeeper.log.dir}/${zookeeper.auditlog.file}
    +        log4j.appender.RFAAUDIT.layout=org.apache.log4j.PatternLayout
    +        log4j.appender.RFAAUDIT.layout.ConversionPattern=%d{ISO8601} %p %c{2}: %m%n
    +        log4j.appender.RFAAUDIT.Threshold=${zookeeper.auditlog.threshold}
    +
    +        # Max log file size of 10MB
    +        log4j.appender.RFAAUDIT.MaxFileSize=10MB
    +        log4j.appender.RFAAUDIT.MaxBackupIndex=10
    +    </programlisting>
    +    <para>Change above configuration to customize the auditlog file, number of
backups, max file size etc.</para>
    +  </section>
    +  <section id="ch_zkAuditUser">
    +    <title>Who is taken as user in audit logs?</title>
    --- End diff --
    
    I'm still a little confused by what is meant by "taken as user". If I'm understanding
correctly, it may be a little clearer to say "How is the user determined for the audit logs?"


> Audit logging in ZooKeeper servers.
> -----------------------------------
>
>                 Key: ZOOKEEPER-1260
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1260
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Mahadev konar
>            Assignee: Mohammad Arshad
>             Fix For: 3.5.4, 3.6.0
>
>         Attachments: ZOOKEEPER-1260-01.patch, zookeeperAuditLogs.pdf
>
>
> Lots of users have had questions on debugging which client changed what znode and what
updates went through a znode. We should add audit logging as in Hadoop (look at Namenode Audit
logging) to log which client changed what in the zookeeper servers. This could just be a log4j
audit logger.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message