[
https://issues.apache.org/jira/browse/HDFS-16945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708586#comment-17708586
]
ASF GitHub Bot commented on HDFS-16945:
---------------------------------------
simbadzina commented on code in PR #5468:
URL: https://github.com/apache/hadoop/pull/5468#discussion_r1157760199
##########
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java:
##########
@@ -0,0 +1,109 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.server.federation.router.security;
+
+import org.apache.hadoop.classification.VisibleForTesting;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.ipc.CallerContext;
+import org.apache.hadoop.ipc.Server;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.net.InetAddress;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*;
+import static
org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT;
+
+public class RouterSecurityAuditLogger {
+
+ public static final Logger AUDIT_LOG = LoggerFactory.getLogger(
+ RouterSecurityManager.class.getName() + ".audit");
+
+ private static final ThreadLocal<StringBuilder> STRING_BUILDER =
+ new ThreadLocal<StringBuilder>() {
+ @Override
+ protected StringBuilder initialValue() {
+ return new StringBuilder();
+ }
+ };
+
+ private int callerContextMaxLen;
+ private int callerSignatureMaxLen;
+
+ public RouterSecurityAuditLogger(Configuration conf) {
+ callerContextMaxLen = conf.getInt(
+ HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY,
+ HADOOP_CALLER_CONTEXT_MAX_SIZE_DEFAULT);
+ callerSignatureMaxLen = conf.getInt(
+ HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY,
+ HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT);
+ }
+
+ public void logAuditEvent(boolean succeeded, String userName,
+ InetAddress addr, String cmd,
+ CallerContext callerContext, String tokenId) {
+ if (AUDIT_LOG.isDebugEnabled() || AUDIT_LOG.isInfoEnabled()) {
+ logAuditMessage(
+ creatAuditLog(succeeded, userName, addr, cmd, callerContext,
+ tokenId));
+ }
+ }
+
+ @VisibleForTesting
+ public String creatAuditLog(boolean succeeded, String userName,
Review Comment:
Typo `createAuditLog`
##########
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.java:
##########
@@ -152,7 +160,8 @@ public Token<DelegationTokenIdentifier>
getDelegationToken(Text renewer)
tokenId = dtId.toStringStable();
success = true;
} finally {
- logAuditEvent(success, operationName, tokenId);
+ logAuditEvent(success, user, Server.getRemoteIp(), operationName,
Review Comment:
The remote address should be part of the CallerContext as well after
HDFS-13248.
##########
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java:
##########
@@ -0,0 +1,109 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.server.federation.router.security;
+
+import org.apache.hadoop.classification.VisibleForTesting;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.ipc.CallerContext;
+import org.apache.hadoop.ipc.Server;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.net.InetAddress;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*;
+import static
org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT;
+
+public class RouterSecurityAuditLogger {
+
+ public static final Logger AUDIT_LOG = LoggerFactory.getLogger(
+ RouterSecurityManager.class.getName() + ".audit");
+
+ private static final ThreadLocal<StringBuilder> STRING_BUILDER =
+ new ThreadLocal<StringBuilder>() {
+ @Override
+ protected StringBuilder initialValue() {
+ return new StringBuilder();
+ }
+ };
Review Comment:
The Java8 construct is a bit more readable.
```
ThreadLocal.withInitial(() -> new StringBuilder());
```
##########
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityAuditLogger.java:
##########
@@ -0,0 +1,109 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hdfs.server.federation.router.security;
+
+import org.apache.hadoop.classification.VisibleForTesting;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.ipc.CallerContext;
+import org.apache.hadoop.ipc.Server;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.net.InetAddress;
+
+import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.*;
+import static
org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT;
+
+public class RouterSecurityAuditLogger {
+
+ public static final Logger AUDIT_LOG = LoggerFactory.getLogger(
+ RouterSecurityManager.class.getName() + ".audit");
+
+ private static final ThreadLocal<StringBuilder> STRING_BUILDER =
+ new ThreadLocal<StringBuilder>() {
+ @Override
+ protected StringBuilder initialValue() {
+ return new StringBuilder();
+ }
+ };
+
+ private int callerContextMaxLen;
+ private int callerSignatureMaxLen;
+
+ public RouterSecurityAuditLogger(Configuration conf) {
+ callerContextMaxLen = conf.getInt(
+ HADOOP_CALLER_CONTEXT_MAX_SIZE_KEY,
+ HADOOP_CALLER_CONTEXT_MAX_SIZE_DEFAULT);
+ callerSignatureMaxLen = conf.getInt(
+ HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_KEY,
+ HADOOP_CALLER_CONTEXT_SIGNATURE_MAX_SIZE_DEFAULT);
+ }
+
+ public void logAuditEvent(boolean succeeded, String userName,
+ InetAddress addr, String cmd,
+ CallerContext callerContext, String tokenId) {
+ if (AUDIT_LOG.isDebugEnabled() || AUDIT_LOG.isInfoEnabled()) {
+ logAuditMessage(
+ creatAuditLog(succeeded, userName, addr, cmd, callerContext,
+ tokenId));
+ }
+ }
+
+ @VisibleForTesting
+ public String creatAuditLog(boolean succeeded, String userName,
+ InetAddress addr, String cmd,
+ CallerContext callerContext, String tokenId) {
+ final StringBuilder sb = STRING_BUILDER.get();
+ sb.setLength(0);
+ sb.append("allowed=").append(succeeded).append("\t");
+ sb.append("ugi=").append(userName).append("\t");
+ sb.append("ip=").append(addr).append("\t");
+ sb.append("cmd=").append(cmd).append("\t");
+
+ sb.append("\t").append("toeknId=");
Review Comment:
Typo `tokenId`
> RBF: add RouterSecurityAuditLogger for router security manager
> --------------------------------------------------------------
>
> Key: HDFS-16945
> URL: https://issues.apache.org/jira/browse/HDFS-16945
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: rbf
> Affects Versions: 3.4.0
> Reporter: Max Xie
> Assignee: Max Xie
> Priority: Minor
> Labels: pull-request-available
>
> we should add audit log for router security manager for token APIs. For
> examples,
> ```
>
> {{2023-03-02 20:53:02,712 INFO
> org.apache.hadoop.hdfs.server.federation.router.security.RouterSecurityManager.audit:
> allowed=true ugi=hadoop ip=localhost/127.0.0.1 cmd=getDelegationToken
> toeknId=HDFS_DELEGATION_TOKEN token 18359 for hadoop with renewer
> hadoop proto=webhdfs}}
> ```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
