[
https://issues.apache.org/jira/browse/HDFS-16944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18032639#comment-18032639
]
ASF GitHub Bot commented on HDFS-16944:
---------------------------------------
github-actions[bot] commented on PR #5464:
URL: https://github.com/apache/hadoop/pull/5464#issuecomment-3440030007
We're closing this stale PR because it has been open for 100 days with no
activity. This isn't a judgement on the merit of the PR in any way. It's just a
way of keeping the PR queue manageable.
If you feel like this was a mistake, or you would like to continue working
on it, please feel free to re-open it and ask for a committer to remove the
stale tag and review again.
Thanks all for your contribution.
> Add audit log for RouterAdminServer to save privileged operation log
> seperately.
> --------------------------------------------------------------------------------
>
> Key: HDFS-16944
> URL: https://issues.apache.org/jira/browse/HDFS-16944
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: federation
> Affects Versions: 3.3.4
> Reporter: Beibei Zhao
> Priority: Major
> Labels: pull-request-available
>
> We found that in other components (like namenode in hdfs or resourcemanager
> in yarn), *debug log and audit log are record seperately*, except
> *RouterAdminServer*.
> There are lots of +simple+ logs to help with debugging for the *developers*
> who can access to the source code. And there are also audit logs record
> +privileged operations+ with more +detailed+ information to help *system
> admins* understand what happened in a real run.
> There is an example in yarn:
> {code:java}
> try {
> // Safety
> userUgi = UserGroupInformation.getCurrentUser();
> user = userUgi.getShortUserName();
> } catch (IOException ie) {
> LOG.warn("Unable to get the current user.", ie); // debug log
> RMAuditLogger.logFailure(user, AuditConstants.SUBMIT_APP_REQUEST,
> ie.getMessage(), "ClientRMService",
> "Exception in submitting application", applicationId, callerContext,
> submissionContext.getQueue()); // audit log
> throw RPCUtil.getRemoteException(ie);
> }
> {code}
> So I suggest to add an audit log for *RouterAdminServer* to save privileged
> operation logs seperately.
> The logger' s name may be:
> {code:java}
> // hadoop security
> public static final Logger AUDITLOG =
> LoggerFactory.getLogger(
> "SecurityLogger." + ServiceAuthorizationManager.class.getName());
> // namenode
> public static final Log auditLog = LogFactory.getLog(
> FSNamesystem.class.getName() + ".audit");
> {code}
> I choose className.audit finally and record AUDITLOG instead of LOG for the
> privileged operations that call permission check function
> _checkSuperuserPrivilege_.
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
