[
https://issues.apache.org/jira/browse/HADOOP-10569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vinay Shukla updated HADOOP-10569:
----------------------------------
Description:
It will be very useful to normalize the audit format across various Hadoop
components.
A common audit format will help both tools parse the audit record consistently
across sub-projects and will be easier for humans to interpret audit details.
If a new common audit format is devised it will be useful to consider the
following W's of audit
1. What Action & with What Results - E.g What was done, action initiated, API
invoked, Job Submitted and etc. - What were the results (success, failure etc)
2. Who - E.g User, Proxy User (If available), IP Address (if available)
3. When - Timestamp,
4. Where - What subsystem, component, node name
5. Why : Now why is difficult to answer. However with Audit event correction we
can provide better context. E.g A user submitted PIG script that results in
some MR jobs and HDFS read/writes can be correlated.
There are perhaps 2 ways to achieve the goal of normalized audit records.
1. A common audit facility - as components can start to uptake this common
audit facility, their audit records start adopting to the normalized audit
record format.
2. Change each component to produce audit record in a common format.
Approach 1 appears to be more doable.
was:
It will be very useful to normalize the audit format across various Hadoop
components.
A common audit format will help both tools parse the audit record consistently
across sub-projects and will be easier for humans to interpret audit details.
If a new common audit format is devised it will be useful to consider the
following W's of audit
1. What Action & with What Results - E.g What was done, action initiated, API
invoked, Job Submitted and etc. - What were the results (success, failure etc)
2. Who - E.g User, Proxy User (If available), IP Address (if available)
3. When - Timestamp,
4. Where - What subsystem, component, node name
5. Why : Now why is difficult to answer. However with Audit event correction we
can provide better context. E.g A user submitted PIG script that results in
some MR jobs and HDFS read/writes can be correlated.
> Normalize Hadoop Audit Logs
> ---------------------------
>
> Key: HADOOP-10569
> URL: https://issues.apache.org/jira/browse/HADOOP-10569
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Vinay Shukla
>
> It will be very useful to normalize the audit format across various Hadoop
> components.
> A common audit format will help both tools parse the audit record
> consistently across sub-projects and will be easier for humans to interpret
> audit details.
> If a new common audit format is devised it will be useful to consider the
> following W's of audit
> 1. What Action & with What Results - E.g What was done, action initiated,
> API invoked, Job Submitted and etc. - What were the results (success, failure
> etc)
> 2. Who - E.g User, Proxy User (If available), IP Address (if available)
> 3. When - Timestamp,
> 4. Where - What subsystem, component, node name
> 5. Why : Now why is difficult to answer. However with Audit event correction
> we can provide better context. E.g A user submitted PIG script that results
> in some MR jobs and HDFS read/writes can be correlated.
> There are perhaps 2 ways to achieve the goal of normalized audit records.
> 1. A common audit facility - as components can start to uptake this common
> audit facility, their audit records start adopting to the normalized audit
> record format.
> 2. Change each component to produce audit record in a common format.
> Approach 1 appears to be more doable.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
