Are you looking for a reviewer for these? Will Greg have time to review? On Thu, Mar 1, 2018 at 3:19 AM, Alexander Rojas <alexander.ro...@gmail.com> wrote:
> This is a good question on where to do the audit, should it happen in the > authorization module itself, or in the caller. It doesn’t help that you can > authorize using approvers or the authorizer or the not so long ago > introuced acceptors. There are also function wrappers that help to do so. > > The feeling we have had in the past is that the authorizer interface was > created to accomodate the needs of the people writing authorization modules > but no so much its use inside our code base. That’s why I’ve been working > in a set of patches to try to clean up a little bit the code that calls > authorization based on ideas from BenH https://reviews.apache.org/r/65311/ > . > > Reviews/comments always welcomed > > Alexander Rojas > alexander.ro...@gmail.com > > > > > On 28. Feb 2018, at 23:52, Benjamin Mahler <bmah...@apache.org> wrote: > > When touching some code, I noticed that authorization logging is currently > done rather inconsistently across the call-sites and many cases do not log > the request: > > $ grep -R -A 3 'LOG.*Authorizing' src > > Should authorization logging be the concern of an authorizer > implementation? For audit purposes I could imagine this also being part of > a separate log that the authorizer maintains? > > Ben > > >
