[
https://issues.apache.org/jira/browse/HDFS-16944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Beibei Zhao updated HDFS-16944:
-------------------------------
Description:
We found that in other components (like namenode in hdfs or resourcemanager in
yarn), debug log and audit log are record seperately.
There are lots of simple logs to help with debug for the developers who can
access to the source code. And there are also audit logs with more detailed
information for privileged operations. In addition, audit logs are always
record to help system admins or users to understand what happened in a real
run.
There is an example in yarn:
{code:java}
public static final Log auditLog = LogFactory.getLog(
FSNamesystem.class.getName() + ".audit");
try {
// Safety
userUgi = UserGroupInformation.getCurrentUser();
user = userUgi.getShortUserName();
} catch (IOException ie) {
LOG.warn("Unable to get the current user.", ie); // debug log
RMAuditLogger.logFailure(user, AuditConstants.SUBMIT_APP_REQUEST,
ie.getMessage(), "ClientRMService",
"Exception in submitting application", applicationId, callerContext,
submissionContext.getQueue()); // audit log
throw RPCUtil.getRemoteException(ie);
}
{code}
So I suggest to add an audit log for *RouterAdminServer* to save privileged
operation logs seperately.
was:
We found that in other components (like namenode in hdfs or resourcemanager in
yarn), debug log and audit log are record seperately.
There are lots of simple logs to help with debug for the developers who can
access to the source code. And there are also audit logs with more detailed
information for privileged operations. In addition, audit logs are always
record to help system admins or users to understand what happened in a real
run.
There is an example in yarn:
{code:java}
try {
// Safety
userUgi = UserGroupInformation.getCurrentUser();
user = userUgi.getShortUserName();
} catch (IOException ie) {
LOG.warn("Unable to get the current user.", ie); // debug log
RMAuditLogger.logFailure(user, AuditConstants.SUBMIT_APP_REQUEST,
ie.getMessage(), "ClientRMService",
"Exception in submitting application", applicationId, callerContext,
submissionContext.getQueue()); // audit log
throw RPCUtil.getRemoteException(ie);
}
{code}
So I suggest to add an audit log for *RouterAdminServer* to save privileged
operation logs seperately.
> Add audit log for RouterAdminServer to save privileged operation log
> seperately.
> --------------------------------------------------------------------------------
>
> Key: HDFS-16944
> URL: https://issues.apache.org/jira/browse/HDFS-16944
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: federation
> Affects Versions: 3.3.4
> Reporter: Beibei Zhao
> Priority: Major
>
> We found that in other components (like namenode in hdfs or resourcemanager
> in yarn), debug log and audit log are record seperately.
> There are lots of simple logs to help with debug for the developers who can
> access to the source code. And there are also audit logs with more detailed
> information for privileged operations. In addition, audit logs are always
> record to help system admins or users to understand what happened in a real
> run.
> There is an example in yarn:
> {code:java}
> public static final Log auditLog = LogFactory.getLog(
> FSNamesystem.class.getName() + ".audit");
> try {
> // Safety
> userUgi = UserGroupInformation.getCurrentUser();
> user = userUgi.getShortUserName();
> } catch (IOException ie) {
> LOG.warn("Unable to get the current user.", ie); // debug log
> RMAuditLogger.logFailure(user, AuditConstants.SUBMIT_APP_REQUEST,
> ie.getMessage(), "ClientRMService",
> "Exception in submitting application", applicationId, callerContext,
> submissionContext.getQueue()); // audit log
> throw RPCUtil.getRemoteException(ie);
> }
> {code}
> So I suggest to add an audit log for *RouterAdminServer* to save privileged
> operation logs seperately.
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
