[
https://issues.apache.org/jira/browse/HDFS-5799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Nauroth updated HDFS-5799:
--------------------------------
Attachment: HDFS-5799.1.patch
I'm uploading a patch. This makes audit logging for the ACL APIs consistent
with what we already do for {{setPermission}}. We'll log the path, the
operation name, and the permissions after execution of the operation. The
existing audit logging relies on {{FsPermission#toString}}, and we've already
updated that method in a prior patch to append '+' if there is an ACL present.
I also noticed that {{FSNamesystem#setAcl}} was missing its edit log sync, so I
added that.
I also considered the possibility of putting the full ACL into the audit log
entries. However, that could cause some very long audit log lines. I estimate
an extra ~600 characters for an inode that uses the maximum of 32 ACL entries.
There is also the matter of changing a lot of existing operations to fetch the
ACL just for the sake of logging. Let's not do this right now, and we can
always revisit it later if it's requested.
> Make audit logging consistent across ACL APIs.
> ----------------------------------------------
>
> Key: HDFS-5799
> URL: https://issues.apache.org/jira/browse/HDFS-5799
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: namenode
> Affects Versions: HDFS ACLs (HDFS-4685)
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HDFS-5799.1.patch
>
>
> Currently, the various ACL APIs are not writing to the audit log
> consistently. This patch will ensure that all ACL APIs write to the audit
> log and finalize the information that they write.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
