zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1260) Audit logging in ZooKeeper servers.
Date Mon, 23 Apr 2018 15:30:01 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16448310#comment-16448310
] 

ASF GitHub Bot commented on ZOOKEEPER-1260:
-------------------------------------------

Github user anmolnar commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/338#discussion_r183433194
  
    --- Diff: src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java ---
    @@ -250,30 +267,36 @@ public void processRequest(Request request) {
                     lastOp = "CREA";
                     rsp = new Create2Response(rc.path, rc.stat);
                     err = Code.get(rc.err);
    +                addAuditLog(request, cnxn, AuditConstants.OP_CREATE, rc.path, null, err);
                     break;
                 }
                 case OpCode.delete:
                 case OpCode.deleteContainer: {
                     lastOp = "DELE";
                     err = Code.get(rc.err);
    +                addAuditLog(request, cnxn, AuditConstants.OP_DELETE, rc.path, null, err);
                     break;
                 }
                 case OpCode.setData: {
                     lastOp = "SETD";
                     rsp = new SetDataResponse(rc.stat);
                     err = Code.get(rc.err);
    +                addAuditLog(request, cnxn, AuditConstants.OP_SETDATA, rc.path, null,
err);
                     break;
                 }
                 case OpCode.reconfig: {
                     lastOp = "RECO";
                     rsp = new GetDataResponse(((QuorumZooKeeperServer)zks).self.getQuorumVerifier().toString().getBytes(),
rc.stat);
                     err = Code.get(rc.err);
    +                addAuditLog(request, cnxn, AuditConstants.OP_RECONFIG, rc.path, null,
err);
                     break;
                 }
                 case OpCode.setACL: {
                     lastOp = "SETA";
                     rsp = new SetACLResponse(rc.stat);
                     err = Code.get(rc.err);
    +                addAuditLog(request, cnxn, AuditConstants.OP_SETACL, rc.path, getACLs(request),
    --- End diff --
    
    I believe this approach has some performance impact even if audit logging is disabled.
The flag gets checked within the method, therefore `getACLs()` will be evaluated even if there's
no need for the result.
    Passing only `request` and calling `getACLs()` from `addAuditLog()` would be slightly
faster.  


> Audit logging in ZooKeeper servers.
> -----------------------------------
>
>                 Key: ZOOKEEPER-1260
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1260
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Mahadev konar
>            Assignee: Mohammad Arshad
>            Priority: Major
>             Fix For: 3.5.4, 3.6.0
>
>         Attachments: ZOOKEEPER-1260-01.patch, zookeeperAuditLogs.pdf
>
>
> Lots of users have had questions on debugging which client changed what znode and what
updates went through a znode. We should add audit logging as in Hadoop (look at Namenode Audit
logging) to log which client changed what in the zookeeper servers. This could just be a log4j
audit logger.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message