-
Notifications
You must be signed in to change notification settings - Fork 8.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HDFS-16944 Add audit log for RouterAdminServer to save privileged operation log seperately. #5464
base: trunk
Are you sure you want to change the base?
Conversation
…ration log seperately. We found that in other components (like namenode in hdfs or resourcemanager in yarn), debug log and audit log are record seperately, except RouterAdminServer.
💔 -1 overall
This message was automatically generated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if they qualify for audit logs. Only initial log for every RPC call should be considered audit rather than result or internal result state of the given RPC?
Also we usually have audit logs disabled by default (using NullAppender) i.e. at least configured separately from main application logs.
For RBF, if we really want audit logs, they should cover all like add/update mount table entry etc, and not just name service APIs. If we only need auditing for name service RPC, then we can rather name the logger as |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are classifying these as Audit logs, we should have them in a proper way and for all the operations, not just selectively.
We should even consider having a subclass of DefaultAuditLogger
Like RouterAdminAuditLoger
and then push the entires in the certain format.
Agree to the above suggestion of having a new audit logger class and use it for all operations. Also Ayush, do you think we should rather have audit logs that indicate the audit and not the result as such? For instance, here it seems we are trying to audit the result instead like "whether nameservice was successfully enabled". |
On the other hand, while hdfs audit logs report whether the given operation had successful authorization (i.e. whether |
The only policy around Audit logs that I am aware of, they shouldn't change and the parsers should be able to parse them, So, if we make the format similar to that of the HDFS ones, that should be good but still not a strict ask. Regarding logging One main reason for only ACE was: We are always interested In successful cases, since that change the state of the FS, other failure we don't care because they didn't do anything, for RPC load or so use the NamenodeMetrics. ACE finds special attention as it is bit alarming: that someone who doesn't have access attempted to do some operation, "Some illegal guy in the town trying to do operation X, which he ain't allowed to do" That is what I know, that is very old stuff, will research sometime more about that.... |
Wow, quite a history behind ACE, thanks a lot for summarizing everything here :) I was wondering in the past also as to why is it that hdfs audit logs only care for auth success/failure rather than overall operation success/failure but yes it does make sense to audit if authorized access was granted for the given operation, as it's more alarming than other failures. (for other failures, there are tons of logs anyways) |
HDFS-16944 We found that in other components (like namenode in hdfs or resourcemanager in yarn), debug log and audit log are record seperately, except
RouterAdminServer
.There are lots of simple logs to help with debugging for the developers who can access to the source code. And there are also audit logs record privileged operations with more detailed information to help system admins understand what happened in a real run.
There is an example in yarn:
So I suggest to add an audit log for
RouterAdminServer
to save privileged operation logs seperately.The logger' s name may be:
I choose className.audit finally and record
AUDITLOG
instead ofLOG
for the privileged operations that call permission check functioncheckSuperuserPrivilege
.Description of PR
How was this patch tested?
For code changes:
LICENSE
,LICENSE-binary
,NOTICE-binary
files?