Yep, I'm in the process of reviewing them now. On Wed, Mar 7, 2018 at 6:05 PM, Benjamin Mahler <bmah...@apache.org> wrote:
> Are you looking for a reviewer for these? Will Greg have time to review? > > On Thu, Mar 1, 2018 at 3:19 AM, Alexander Rojas <alexander.ro...@gmail.com > > > wrote: > > > This is a good question on where to do the audit, should it happen in the > > authorization module itself, or in the caller. It doesn’t help that you > can > > authorize using approvers or the authorizer or the not so long ago > > introuced acceptors. There are also function wrappers that help to do so. > > > > The feeling we have had in the past is that the authorizer interface was > > created to accomodate the needs of the people writing authorization > modules > > but no so much its use inside our code base. That’s why I’ve been working > > in a set of patches to try to clean up a little bit the code that calls > > authorization based on ideas from BenH https://reviews.apache.org/r/ > 65311/ > > . > > > > Reviews/comments always welcomed > > > > Alexander Rojas > > alexander.ro...@gmail.com > > > > > > > > > > On 28. Feb 2018, at 23:52, Benjamin Mahler <bmah...@apache.org> wrote: > > > > When touching some code, I noticed that authorization logging is > currently > > done rather inconsistently across the call-sites and many cases do not > log > > the request: > > > > $ grep -R -A 3 'LOG.*Authorizing' src > > > > Should authorization logging be the concern of an authorizer > > implementation? For audit purposes I could imagine this also being part > of > > a separate log that the authorizer maintains? > > > > Ben > > > > > > >
