ChenSammi commented on code in PR #9687:
URL: https://github.com/apache/ozone/pull/9687#discussion_r2744510354
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3AssumeRoleRequest.java:
##########
@@ -134,46 +146,51 @@ public OMClientResponse
validateAndUpdateCache(OzoneManager ozoneManager, Execut
// Calculate expiration of session token
final long expirationEpochSeconds =
clock.instant().plusSeconds(durationSeconds).getEpochSecond();
+ // Add tempAccessKeyId to the log so it can be determined which
permanent user created the tempAccessKeyId
+ auditMap.put("tempAccessKeyId", tempAccessKeyId);
Review Comment:
One more thing about AK and secret generation, currently each OM in OM HA
generates a different AK and secret, and AK is saved in audit log, and uses
omRole LEADER or FOLLOWER to distinguish which OM's audit log record should be
used in case the issue investigation, this adds the complexity to the
investigation. The ideal state is only leader OM generates the AK and secret,
and passes them to other followers, so that all OM's audit log will have
exactly the same record. S3GetSecretRequest.java is a good example of above
process. This can be improved in a follower up jira.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
