ayushtkn commented on code in PR #5468: URL: https://github.com/apache/hadoop/pull/5468#discussion_r1173031944
########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java: ########## @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.router.security; + +import org.apache.hadoop.classification.VisibleForTesting; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.InetAddress; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT; + +public class RouterSecurityAuditLogger { Review Comment: I think this extend any child class of AuditLogger? ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java: ########## @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.router.security; + +import org.apache.hadoop.classification.VisibleForTesting; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.InetAddress; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT; + +public class RouterSecurityAuditLogger { + + public static final Logger AUDIT_LOG = LoggerFactory.getLogger( + RouterSecurityManager.class.getName() + ".audit"); + + private static final ThreadLocal<StringBuilder> STRING_BUILDER = + new ThreadLocal<StringBuilder>() { + @Override + protected StringBuilder initialValue() { + return new StringBuilder(); + } + }; Review Comment: May be ``` private static final ThreadLocal<StringBuilder> STRING_BUILDER = ThreadLocal.withInitial(StringBuilder::new); ``` ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java: ########## @@ -213,7 +225,8 @@ public void cancelDelegationToken(Token<DelegationTokenIdentifier> token) tokenId = id.toStringStable(); throw ace; } finally { - logAuditEvent(success, operationName, tokenId); + logAuditEvent(success, user, Server.getRemoteIp(), operationName, + CallerContext.getCurrent(), tokenId); Review Comment: user is empty here? There is a line above ``` String canceller = getRemoteUser().getUserName(); ``` This guy is your user ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java: ########## @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.router.security; + +import org.apache.hadoop.classification.VisibleForTesting; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.InetAddress; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*; Review Comment: Don't use *, expand the imports ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/TestRouterSecurityAuditLogger.java: ########## @@ -0,0 +1,53 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.security; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hdfs.server.federation.router.security.RouterSecurityAuditLogger; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.junit.Test; + +import java.io.IOException; + +import static org.junit.Assert.*; + +public class TestRouterSecurityAuditLogger { + + @Test + public void testRouterSecurityAuditLog() throws IOException { Review Comment: This is very basic and invoking directly the audit logger not invoking from the actual API. any scope to add tests which invokes audit logging via API invocation and you can grep the logs? ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java: ########## @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.router.security; + +import org.apache.hadoop.classification.VisibleForTesting; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.InetAddress; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT; + +public class RouterSecurityAuditLogger { + + public static final Logger AUDIT_LOG = LoggerFactory.getLogger( + RouterSecurityManager.class.getName() + ".audit"); + + private static final ThreadLocal<StringBuilder> STRING_BUILDER = + new ThreadLocal<StringBuilder>() { + @Override + protected StringBuilder initialValue() { + return new StringBuilder(); + } + }; + + private int callerContextMaxLen; + private int callerSignatureMaxLen; + + public RouterSecurityAuditLogger(Configuration conf) { + callerContextMaxLen = conf.getInt( + HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY, + HADOOP_CALLER_CONTEXT_MAX_SIZE_DEFAULT); + callerSignatureMaxLen = conf.getInt( + HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY, + HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT); + } + + public void logAuditEvent(boolean succeeded, String userName, + InetAddress addr, String cmd, + CallerContext callerContext, String tokenId) { + if (AUDIT_LOG.isDebugEnabled() || AUDIT_LOG.isInfoEnabled()) { + logAuditMessage( + creatAuditLog(succeeded, userName, addr, cmd, callerContext, + tokenId)); + } + } + + @VisibleForTesting + public String creatAuditLog(boolean succeeded, String userName, + InetAddress addr, String cmd, + CallerContext callerContext, String tokenId) { + final StringBuilder sb = STRING_BUILDER.get(); + sb.setLength(0); + sb.append("allowed=").append(succeeded).append("\t"); + sb.append("ugi=").append(userName).append("\t"); + sb.append("ip=").append(addr).append("\t"); + sb.append("cmd=").append(cmd).append("\t"); + + sb.append("\t").append("toeknId="); + sb.append(tokenId); + + sb.append("\t").append("proto="); + sb.append(Server.getProtocol()); + if ( + callerContext != null && + callerContext.isContextValid()) { + sb.append("\t").append("callerContext="); Review Comment: Formatting issue ``` if (callerContext != null && callerContext.isContextValid()) { ``` ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java: ########## @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.router.security; + +import org.apache.hadoop.classification.VisibleForTesting; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.InetAddress; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT; + +public class RouterSecurityAuditLogger { + + public static final Logger AUDIT_LOG = LoggerFactory.getLogger( + RouterSecurityManager.class.getName() + ".audit"); + + private static final ThreadLocal<StringBuilder> STRING_BUILDER = + new ThreadLocal<StringBuilder>() { + @Override + protected StringBuilder initialValue() { + return new StringBuilder(); + } + }; + + private int callerContextMaxLen; + private int callerSignatureMaxLen; Review Comment: can be ``final``? ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java: ########## @@ -51,6 +54,8 @@ public class RouterSecurityManager { private AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> dtSecretManager = null; + private RouterSecurityAuditLogger auditLogger; Review Comment: Can be ``final``? ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java: ########## @@ -62,12 +67,14 @@ public RouterSecurityManager(Configuration conf) throws IOException { throw new IOException("Failed to create SecretManager"); } } + auditLogger = new RouterSecurityAuditLogger(conf); } @VisibleForTesting public RouterSecurityManager(AbstractDelegationTokenSecretManager <DelegationTokenIdentifier> dtSecretManager) { this.dtSecretManager = dtSecretManager; + auditLogger = new RouterSecurityAuditLogger(new Configuration()); Review Comment: doing new Configuration() is usually a bad idea, This method is used only in test, explore deprecating this and add a new method which takes in the conf and pass it from the test. In the new method if ``conf`` is ``null`` don't ``initialise`` the ``auditLogger`` instead just put a ``warn`` log that ``RouterAuditLogger`` is ``disabled and something like that ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java: ########## @@ -186,7 +196,8 @@ public long renewDelegationToken(Token<DelegationTokenIdentifier> token) tokenId = id.toStringStable(); throw ace; } finally { - logAuditEvent(success, operationName, tokenId); + logAuditEvent(success, user, Server.getRemoteIp(), operationName, Review Comment: isn't user always an empty string here? Should have been ```user = getRemoteUser().getUserName();``` ? ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java: ########## @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.router.security; + +import org.apache.hadoop.classification.VisibleForTesting; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.InetAddress; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT; + +public class RouterSecurityAuditLogger { + + public static final Logger AUDIT_LOG = LoggerFactory.getLogger( + RouterSecurityManager.class.getName() + ".audit"); + + private static final ThreadLocal<StringBuilder> STRING_BUILDER = + new ThreadLocal<StringBuilder>() { + @Override + protected StringBuilder initialValue() { + return new StringBuilder(); + } + }; + + private int callerContextMaxLen; + private int callerSignatureMaxLen; + + public RouterSecurityAuditLogger(Configuration conf) { + callerContextMaxLen = conf.getInt( + HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY, + HADOOP_CALLER_CONTEXT_MAX_SIZE_DEFAULT); + callerSignatureMaxLen = conf.getInt( + HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY, + HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT); + } + + public void logAuditEvent(boolean succeeded, String userName, + InetAddress addr, String cmd, + CallerContext callerContext, String tokenId) { + if (AUDIT_LOG.isDebugEnabled() || AUDIT_LOG.isInfoEnabled()) { + logAuditMessage( + creatAuditLog(succeeded, userName, addr, cmd, callerContext, + tokenId)); + } + } + + @VisibleForTesting + public String creatAuditLog(boolean succeeded, String userName, + InetAddress addr, String cmd, + CallerContext callerContext, String tokenId) { + final StringBuilder sb = STRING_BUILDER.get(); + sb.setLength(0); + sb.append("allowed=").append(succeeded).append("\t"); + sb.append("ugi=").append(userName).append("\t"); + sb.append("ip=").append(addr).append("\t"); + sb.append("cmd=").append(cmd).append("\t"); + + sb.append("\t").append("toeknId="); + sb.append(tokenId); + + sb.append("\t").append("proto="); + sb.append(Server.getProtocol()); + if ( + callerContext != null && + callerContext.isContextValid()) { + sb.append("\t").append("callerContext="); + if (callerContext.getContext().length() > callerContextMaxLen) { + sb.append(callerContext.getContext().substring(0, + callerContextMaxLen)); + } else { + sb.append(callerContext.getContext()); + } + if (callerContext.getSignature() != null && + callerContext.getSignature().length > 0 && + callerContext.getSignature().length <= callerSignatureMaxLen) { + sb.append(":"); + sb.append(new String(callerContext.getSignature(), + CallerContext.SIGNATURE_ENCODING)); Review Comment: Thats what ``FSNamesystemAuditLogger`` does, should be inline with that ``` .append(escapeJava(new String(callerContext.getSignature(), CallerContext.SIGNATURE_ENCODING))); ``` ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java: ########## @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.router.security; + +import org.apache.hadoop.classification.VisibleForTesting; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.InetAddress; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT; + +public class RouterSecurityAuditLogger { + + public static final Logger AUDIT_LOG = LoggerFactory.getLogger( + RouterSecurityManager.class.getName() + ".audit"); + + private static final ThreadLocal<StringBuilder> STRING_BUILDER = + new ThreadLocal<StringBuilder>() { + @Override + protected StringBuilder initialValue() { + return new StringBuilder(); + } + }; + + private int callerContextMaxLen; + private int callerSignatureMaxLen; + + public RouterSecurityAuditLogger(Configuration conf) { + callerContextMaxLen = conf.getInt( + HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY, + HADOOP_CALLER_CONTEXT_MAX_SIZE_DEFAULT); + callerSignatureMaxLen = conf.getInt( + HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY, + HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT); + } + + public void logAuditEvent(boolean succeeded, String userName, + InetAddress addr, String cmd, + CallerContext callerContext, String tokenId) { + if (AUDIT_LOG.isDebugEnabled() || AUDIT_LOG.isInfoEnabled()) { + logAuditMessage( + creatAuditLog(succeeded, userName, addr, cmd, callerContext, + tokenId)); + } + } + + @VisibleForTesting + public String creatAuditLog(boolean succeeded, String userName, + InetAddress addr, String cmd, + CallerContext callerContext, String tokenId) { + final StringBuilder sb = STRING_BUILDER.get(); + sb.setLength(0); + sb.append("allowed=").append(succeeded).append("\t"); + sb.append("ugi=").append(userName).append("\t"); + sb.append("ip=").append(addr).append("\t"); + sb.append("cmd=").append(cmd).append("\t"); + + sb.append("\t").append("toeknId="); + sb.append(tokenId); + + sb.append("\t").append("proto="); + sb.append(Server.getProtocol()); + if ( + callerContext != null && + callerContext.isContextValid()) { + sb.append("\t").append("callerContext="); + if (callerContext.getContext().length() > callerContextMaxLen) { + sb.append(callerContext.getContext().substring(0, + callerContextMaxLen)); Review Comment: Can directly do ``` sb.append(callerContext.getContext(), 0, callerContextMaxLen); ``` ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java: ########## @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.router.security; + +import org.apache.hadoop.classification.VisibleForTesting; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.InetAddress; + +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT; + +public class RouterSecurityAuditLogger { + + public static final Logger AUDIT_LOG = LoggerFactory.getLogger( + RouterSecurityManager.class.getName() + ".audit"); + + private static final ThreadLocal<StringBuilder> STRING_BUILDER = + new ThreadLocal<StringBuilder>() { + @Override + protected StringBuilder initialValue() { + return new StringBuilder(); + } + }; + + private int callerContextMaxLen; + private int callerSignatureMaxLen; + + public RouterSecurityAuditLogger(Configuration conf) { + callerContextMaxLen = conf.getInt( + HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY, + HADOOP_CALLER_CONTEXT_MAX_SIZE_DEFAULT); + callerSignatureMaxLen = conf.getInt( + HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY, + HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT); + } + + public void logAuditEvent(boolean succeeded, String userName, + InetAddress addr, String cmd, + CallerContext callerContext, String tokenId) { + if (AUDIT_LOG.isDebugEnabled() || AUDIT_LOG.isInfoEnabled()) { + logAuditMessage( + creatAuditLog(succeeded, userName, addr, cmd, callerContext, + tokenId)); + } + } + + @VisibleForTesting + public String creatAuditLog(boolean succeeded, String userName, + InetAddress addr, String cmd, + CallerContext callerContext, String tokenId) { + final StringBuilder sb = STRING_BUILDER.get(); + sb.setLength(0); + sb.append("allowed=").append(succeeded).append("\t"); + sb.append("ugi=").append(userName).append("\t"); + sb.append("ip=").append(addr).append("\t"); + sb.append("cmd=").append(cmd).append("\t"); + + sb.append("\t").append("toeknId="); + sb.append(tokenId); + + sb.append("\t").append("proto="); + sb.append(Server.getProtocol()); + if ( Review Comment: Should even check if ``CallerContext`` is enabled or not, and log only then The conf is ``` hadoop.caller.context.enabled ``` ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/TestRouterSecurityAuditLogger.java: ########## @@ -0,0 +1,53 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.security; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hdfs.server.federation.router.security.RouterSecurityAuditLogger; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.junit.Test; + +import java.io.IOException; + +import static org.junit.Assert.*; Review Comment: No grouping of imports ########## hadoop-hdfs-project/hadoop-hdfs-rbf/src/test/java/org/apache/hadoop/hdfs/server/federation/security/TestRouterSecurityAuditLogger.java: ########## @@ -0,0 +1,53 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hdfs.server.federation.security; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hdfs.server.federation.router.security.RouterSecurityAuditLogger; +import org.apache.hadoop.ipc.CallerContext; +import org.apache.hadoop.ipc.Server; +import org.junit.Test; + +import java.io.IOException; + +import static org.junit.Assert.*; + +public class TestRouterSecurityAuditLogger { Review Comment: Add a javadoc for the test class that It has tests related to RouterSecurityAuditLogs -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
