Hello,
The feature to exclude certain operations for audit log is ready:
https://github.com/apache/ozone/pull/3289
<https://github.com/apache/ozone/pull/3289>
Please help to review.
We also noticed it might be inconvenient for users to update the
configuration, since it needs to restart the service to reload the
configurations.
So we also build a dynamic refresh feature to refresh the configuration,
will raise the ticket after the above PR finishes.
Also hope to get reviewed.
Thanks
Symious
> On 7 Apr 2022, at 2:33 PM, Janus Chow <yiyang0...@gmail.com> wrote:
>
> Hello,
>
> @Arp @feihui, Thanks for the reply.
>
> Have created a ticket for the feature to exclude operations on demand.
> (https://issues.apache.org/jira/browse/HDDS-6562
> <https://issues.apache.org/jira/browse/HDDS-6562>)
>
> Thanks
> Yiyang
>
> Arpit Agarwal <aagar...@cloudera.com.invalid> 于2022年4月6日周三 21:36写道:
> Hi Yiyang,
>
> +1 to enable if we have a way to exclude on demand.
>
> Thanks,
> Arpit
>
>
> > On Apr 3, 2022, at 9:37 PM, Janus Chow <yiyang0...@gmail.com
> > <mailto:yiyang0...@gmail.com>> wrote:
> >
> > Thanks for the reply. @Arp
> >
> > From the commit in
> > https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml#L3190
> >
> > <https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/resources/hdfs-default.xml#L3190>,
> > I think by default the configuration is empty.
> >
> > In a releted ticket, https://issues.apache.org/jira/browse/HDFS-9828
> > <https://issues.apache.org/jira/browse/HDFS-9828>, It's
> > also recommended not to disable READ audit logs.
> >
> > Currently, we only enabled audit for READ in our UAT cluster, the
> > request/second is not very high, in PROD cluster, it should be quite higher.
> >
> > IMHO, the read audit log is quite useful, the problem is that we don't have
> > a similar way like HDFS to exclude some read operations. If we have a
> > similar exclude mechanism, is it ok to enable READ operation audit log by
> > default?
> >
> >
> > Thanks
> > Yiyang
> >
> > Arpit Agarwal <aagar...@cloudera.com.invalid> 于2022年4月4日周一 12:01写道:
> >
> >> Hi Janus,
> >>
> >> Performance will be the main concern. In busy HDFS clusters admins are
> >> likely to use dfs.namenode.audit.log.debug.cmdlist.
> >>
> >> Have you enabled read audit logging in your Ozone cluster? What is the
> >> number of requests/second?
> >>
> >> Thanks,
> >> Arpit
> >>
> >>
> >>> On Apr 3, 2022, at 7:58 PM, Janus Chow <yiyang0...@gmail.com
> >>> <mailto:yiyang0...@gmail.com>> wrote:
> >>>
> >>> Hi Ozone dev,
> >>>
> >>> When checking the audit logs from Ozone components, we found that by
> >>> default Ozone only logs WRITE operations. In order to enable the audit
> >> log
> >>> for READ operations, we need to change the configurations in
> >>> audit-log4j2.properties.
> >>> That brings some confusion for users when comparing it to some other
> >>> storage systems, like HDFS, in which audit logs are enabled for both READ
> >>> and WRITE by default.
> >>>
> >>> We have a Jira ticket(https://issues.apache.org/jira/browse/HDDS-6532
> >>> <https://issues.apache.org/jira/browse/HDDS-6532>)
> >> and
> >>> PR (https://github.com/apache/ozone/pull/3255
> >>> <https://github.com/apache/ozone/pull/3255>) about adding audit logs
> >> for
> >>> READ operations by default.
> >>> Could you help to check and comment if there are any specific concerns
> >>> not to enable READ audit logs?
> >>>
> >>> Yiyang
> >>> Thank you very much.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscr...@ozone.apache.org
> >> <mailto:dev-unsubscr...@ozone.apache.org>
> >> For additional commands, e-mail: dev-h...@ozone.apache.org
> >> <mailto:dev-h...@ozone.apache.org>
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@ozone.apache.org
> <mailto:dev-unsubscr...@ozone.apache.org>
> For additional commands, e-mail: dev-h...@ozone.apache.org
> <mailto:dev-h...@ozone.apache.org>
>
smime.p7s
Description: S/MIME cryptographic signature
