Are you looking for a reviewer for these? Will Greg have time to review?

On Thu, Mar 1, 2018 at 3:19 AM, Alexander Rojas <alexander.ro...@gmail.com>
wrote:

> This is a good question on where to do the audit, should it happen in the
> authorization module itself, or in the caller. It doesn’t help that you can
> authorize using approvers or the authorizer or the not so long ago
> introuced acceptors. There are also function wrappers that help to do so.
>
> The feeling we have had in the past is that the authorizer interface was
> created to accomodate the needs of the people writing authorization modules
> but no so much its use inside our code base. That’s why I’ve been working
> in a set of patches to try to clean up a little bit the code that calls
> authorization based on ideas from BenH https://reviews.apache.org/r/65311/
> .
>
> Reviews/comments always welcomed
>
> Alexander Rojas
> alexander.ro...@gmail.com
>
>
>
>
> On 28. Feb 2018, at 23:52, Benjamin Mahler <bmah...@apache.org> wrote:
>
> When touching some code, I noticed that authorization logging is currently
> done rather inconsistently across the call-sites and many cases do not log
> the request:
>
> $ grep -R -A 3 'LOG.*Authorizing' src
>
> Should authorization logging be the concern of an authorizer
> implementation? For audit purposes I could imagine this also being part of
> a separate log that the authorizer maintains?
>
> Ben
>
>
>

Reply via email to