[jira] [Commented] (HDFS-12300) Audit-log delegation token related operations

Thu, 31 Aug 2017 16:38:22 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-12300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16149787#comment-16149787
 ] 

Xiao Chen commented on HDFS-12300:
----------------------------------

Hey Ravi,

Thanks a lot for reviewing!

I was only deducting about the reasoning why FSN writes is own code instead of 
calling the general helper method, so I don't have numbers. Considering 
reflections are usually resource-heavy, and we tend to optimize NN within the 
namespace lock, it seems plausible.
The overhead I was referring to are specific to [these 
lines|https://github.com/apache/hadoop/blob/branch-3.0.0-alpha4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L170-L174].
 IMHO it's up to each module to decide whether this is costly enough for 
optimization, likely from the result of stress tests.

bq. why we don't audit log when some exceptions are thrown and not others
I think HDFS-10776 (and its first comment) is the best answer available - we 
only log AccessControlExceptions, and don't care about others.

Patch 2 to fix the checkstyle.

> Audit-log delegation token related operations
> ---------------------------------------------
>
>                 Key: HDFS-12300
>                 URL: https://issues.apache.org/jira/browse/HDFS-12300
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: namenode
>    Affects Versions: 0.22.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HDFS-12300.01.patch, HDFS-12300.02.patch
>
>
> When inspecting the code, I found that the following methods in FSNamesystem 
> are not audit logged:
> - getDelegationToken
> - renewDelegationToken
> - cancelDelegationToken
> The audit log itself does have a logTokenTrackingId field to additionally log 
> some details when a token is used for authentication.
> After emailing the community, we should add that.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to