You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by Xiao Chen <xi...@cloudera.com> on 2017/08/14 18:52:04 UTC

Why aren't delegation token operations audit logged?

Hello,

When inspecting the code, I found that the following methods in
FSNamesystem are not audit logged:

   - getDelegationToken
   - renewDelegationToken
   - cancelDelegationToken

The audit log itself does have a logTokenTrackingId
<https://github.com/apache/hadoop/blob/branch-3.0.0-alpha4/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java#L7432>
field
to additionally log some details when a token is used for authentication.
But why aren't the token operations themselves audit logged?

I checked with ATM hoping for some history, but no known to him. Anyone
know the reason to not audit log these?

Thanks,
-Xiao

Re: Why aren't delegation token operations audit logged?

Posted by Xiao Chen <xi...@cloudera.com>.

Thanks a lot Daryn! Filed https://issues.apache.org/jira/browse/HDFS-12300.


-Xiao

On Mon, Aug 14, 2017 at 12:46 PM, Daryn Sharp <da...@oath.com> wrote:

> I don't think there's a historical reason for not logging token ops, and
> have no objections to logging them – as long as the log line does not
> contain anything like the identifier/password.  My first thought was
> logging overhead but I checked our clusters and the rate of logging would
> be insignificant.
>
> Daryn
>
> On Mon, Aug 14, 2017 at 1:52 PM, Xiao Chen <xi...@cloudera.com> wrote:
>
>> Hello,
>>
>> When inspecting the code, I found that the following methods in
>> FSNamesystem are not audit logged:
>>
>>    - getDelegationToken
>>    - renewDelegationToken
>>    - cancelDelegationToken
>>
>> The audit log itself does have a logTokenTrackingId
>> <https://github.com/apache/hadoop/blob/branch-3.0.0-alpha4/
>> hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/
>> hadoop/hdfs/server/namenode/FSNamesystem.java#L7432>
>> field
>> to additionally log some details when a token is used for authentication.
>> But why aren't the token operations themselves audit logged?
>>
>> I checked with ATM hoping for some history, but no known to him. Anyone
>> know the reason to not audit log these?
>>
>> Thanks,
>> -Xiao
>>
>
>