[
https://issues.apache.org/jira/browse/HDDS-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892406#comment-16892406
]
Dinesh Chitlangia edited comment on HDDS-1768 at 7/25/19 4:32 AM:
------------------------------------------------------------------
[~ajayydv], [~xyao]
I tried implementing this and and in certain kind of scenario it will lead to
redundant logging.
Example: I created a volume but I do not have create acl to create a bucket in
this volume. When I attempt creating a bucket, this will lead to following two
log snippets:
1. First, it will log when the internal checkAcls method is called
2. Now it logs for the original request (create Bucket)
{noformat}
ERROR | OMAudit | user=dchitlangia | ip=127.0.0.1 | op=GET_ACL
{volume=volume80100, bucket=bucket83878, key=null, aclType=CREATE,
resourceType=volume, storeType=ozone} | ret=FAILURE
org.apache.hadoop.ozone.om.exceptions.OMException: User dchitlangia doesn't
have CREATE permission to access volume
at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1809)
~[classes/:?]
at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1769)
~[classes/:?]
at
org.apache.hadoop.ozone.om.OzoneManager.createBucket(OzoneManager.java:2092)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.createBucket(OzoneManagerRequestHandler.java:526)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handle(OzoneManagerRequestHandler.java:185)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequestDirectlyToOM(OzoneManagerProtocolServerSideTranslatorPB.java:192)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:110)
~[classes/:?]
at
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java)
~[classes/:?]
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:524)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1025)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:876)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:822)
~[hadoop-common-3.2.0.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]
at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144]
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2682)
~[hadoop-common-3.2.0.jar:?]
ERROR | OMAudit | user=dchitlangia | ip=127.0.0.1 | op=CREATE_BUCKET
{volume=volume80100, bucket=bucket83878, acls=[], isVersionEnabled=false,
storageType=DISK, creationTime=0} | ret=FAILURE
org.apache.hadoop.ozone.om.exceptions.OMException: User dchitlangia doesn't
have CREATE permission to access volume
at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1809)
~[classes/:?]
at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1769)
~[classes/:?]
at
org.apache.hadoop.ozone.om.OzoneManager.createBucket(OzoneManager.java:2092)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.createBucket(OzoneManagerRequestHandler.java:526)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handle(OzoneManagerRequestHandler.java:185)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequestDirectlyToOM(OzoneManagerProtocolServerSideTranslatorPB.java:192)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:110)
~[classes/:?]
at
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java)
~[classes/:?]
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:524)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1025)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:876)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:822)
~[hadoop-common-3.2.0.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]
at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144]
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2682)
~[hadoop-common-3.2.0.jar:?]
{noformat}
Wanted to get your thoughts on this.
was (Author: dineshchitlangia):
[~ajayydv], [~xyao]
I tried implementing this and and in certain kind of scenario is will lead to
redundant logging.
Example: I created a volume but I do not have create acl to create a bucket in
this volume. When I attempt creating a bucket, this will lead to following two
log snippets:
1. First, it will log when the internal checkAcls method is called
2. Now it logs for the original request (create Bucket)
{noformat}
ERROR | OMAudit | user=dchitlangia | ip=127.0.0.1 | op=GET_ACL
{volume=volume80100, bucket=bucket83878, key=null, aclType=CREATE,
resourceType=volume, storeType=ozone} | ret=FAILURE
org.apache.hadoop.ozone.om.exceptions.OMException: User dchitlangia doesn't
have CREATE permission to access volume
at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1809)
~[classes/:?]
at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1769)
~[classes/:?]
at
org.apache.hadoop.ozone.om.OzoneManager.createBucket(OzoneManager.java:2092)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.createBucket(OzoneManagerRequestHandler.java:526)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handle(OzoneManagerRequestHandler.java:185)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequestDirectlyToOM(OzoneManagerProtocolServerSideTranslatorPB.java:192)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:110)
~[classes/:?]
at
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java)
~[classes/:?]
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:524)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1025)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:876)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:822)
~[hadoop-common-3.2.0.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]
at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144]
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2682)
~[hadoop-common-3.2.0.jar:?]
ERROR | OMAudit | user=dchitlangia | ip=127.0.0.1 | op=CREATE_BUCKET
{volume=volume80100, bucket=bucket83878, acls=[], isVersionEnabled=false,
storageType=DISK, creationTime=0} | ret=FAILURE
org.apache.hadoop.ozone.om.exceptions.OMException: User dchitlangia doesn't
have CREATE permission to access volume
at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1809)
~[classes/:?]
at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1769)
~[classes/:?]
at
org.apache.hadoop.ozone.om.OzoneManager.createBucket(OzoneManager.java:2092)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.createBucket(OzoneManagerRequestHandler.java:526)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handle(OzoneManagerRequestHandler.java:185)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequestDirectlyToOM(OzoneManagerProtocolServerSideTranslatorPB.java:192)
~[classes/:?]
at
org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:110)
~[classes/:?]
at
org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java)
~[classes/:?]
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:524)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1025)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:876)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:822)
~[hadoop-common-3.2.0.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]
at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144]
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730)
~[hadoop-common-3.2.0.jar:?]
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2682)
~[hadoop-common-3.2.0.jar:?]
{noformat}
Wanted to get your thoughts on this.
> Audit permission failures from authorizer
> -----------------------------------------
>
> Key: HDDS-1768
> URL: https://issues.apache.org/jira/browse/HDDS-1768
> Project: Hadoop Distributed Data Store
> Issue Type: Sub-task
> Reporter: Ajay Kumar
> Assignee: Dinesh Chitlangia
> Priority: Major
>
> Audit permission failures from authorizer
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
