I want to start some discussion on how to support complex policy template gracefully.
Today if we want to support a policy like "alert when a user deletes some sensitivity file", then user has to compose very complex policy because in Hdfs file deletion will spawn multiple granular hdfs audit events. It is hard for user to define such a simple policy in a straightforward way. I want to propose to solve the problem with the following approach EAGLE-68 <https://issues.apache.org/jira/browse/EAGLE-68>, EAGLE-14 <https://issues.apache.org/jira/browse/EAGLE-14> First in stream processing phase, Eagle will reassemble user level command from granular audit event which is defined by EAGLE-14 <https://issues.apache.org/jira/browse/EAGLE-14> Second, in UI we provide a general feature for user to import a predefined policy template and those policy templates can be hosted in eagle source code externalPolices for example. this is defined in EAGLE-68 <https://issues.apache.org/jira/browse/EAGLE-68> With this approach, we don't need customize HDFS policy UI and I hope we can always avoid customizing a UI for a specified data source. Please suggest. Thanks Edward Zhang
