[ https://issues.apache.org/jira/browse/HDDS-1768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892406#comment-16892406 ]
Dinesh Chitlangia edited comment on HDDS-1768 at 7/25/19 4:32 AM: ------------------------------------------------------------------ [~ajayydv], [~xyao] I tried implementing this and and in certain kind of scenario it will lead to redundant logging. Example: I created a volume but I do not have create acl to create a bucket in this volume. When I attempt creating a bucket, this will lead to following two log snippets: 1. First, it will log when the internal checkAcls method is called 2. Now it logs for the original request (create Bucket) {noformat} ERROR | OMAudit | user=dchitlangia | ip=127.0.0.1 | op=GET_ACL {volume=volume80100, bucket=bucket83878, key=null, aclType=CREATE, resourceType=volume, storeType=ozone} | ret=FAILURE org.apache.hadoop.ozone.om.exceptions.OMException: User dchitlangia doesn't have CREATE permission to access volume at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1809) ~[classes/:?] at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1769) ~[classes/:?] at org.apache.hadoop.ozone.om.OzoneManager.createBucket(OzoneManager.java:2092) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.createBucket(OzoneManagerRequestHandler.java:526) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handle(OzoneManagerRequestHandler.java:185) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequestDirectlyToOM(OzoneManagerProtocolServerSideTranslatorPB.java:192) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:110) ~[classes/:?] at org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java) ~[classes/:?] at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:524) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1025) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:876) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:822) ~[hadoop-common-3.2.0.jar:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144] at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144] at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2682) ~[hadoop-common-3.2.0.jar:?] ERROR | OMAudit | user=dchitlangia | ip=127.0.0.1 | op=CREATE_BUCKET {volume=volume80100, bucket=bucket83878, acls=[], isVersionEnabled=false, storageType=DISK, creationTime=0} | ret=FAILURE org.apache.hadoop.ozone.om.exceptions.OMException: User dchitlangia doesn't have CREATE permission to access volume at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1809) ~[classes/:?] at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1769) ~[classes/:?] at org.apache.hadoop.ozone.om.OzoneManager.createBucket(OzoneManager.java:2092) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.createBucket(OzoneManagerRequestHandler.java:526) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handle(OzoneManagerRequestHandler.java:185) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequestDirectlyToOM(OzoneManagerProtocolServerSideTranslatorPB.java:192) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:110) ~[classes/:?] at org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java) ~[classes/:?] at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:524) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1025) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:876) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:822) ~[hadoop-common-3.2.0.jar:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144] at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144] at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2682) ~[hadoop-common-3.2.0.jar:?] {noformat} Wanted to get your thoughts on this. was (Author: dineshchitlangia): [~ajayydv], [~xyao] I tried implementing this and and in certain kind of scenario is will lead to redundant logging. Example: I created a volume but I do not have create acl to create a bucket in this volume. When I attempt creating a bucket, this will lead to following two log snippets: 1. First, it will log when the internal checkAcls method is called 2. Now it logs for the original request (create Bucket) {noformat} ERROR | OMAudit | user=dchitlangia | ip=127.0.0.1 | op=GET_ACL {volume=volume80100, bucket=bucket83878, key=null, aclType=CREATE, resourceType=volume, storeType=ozone} | ret=FAILURE org.apache.hadoop.ozone.om.exceptions.OMException: User dchitlangia doesn't have CREATE permission to access volume at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1809) ~[classes/:?] at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1769) ~[classes/:?] at org.apache.hadoop.ozone.om.OzoneManager.createBucket(OzoneManager.java:2092) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.createBucket(OzoneManagerRequestHandler.java:526) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handle(OzoneManagerRequestHandler.java:185) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequestDirectlyToOM(OzoneManagerProtocolServerSideTranslatorPB.java:192) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:110) ~[classes/:?] at org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java) ~[classes/:?] at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:524) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1025) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:876) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:822) ~[hadoop-common-3.2.0.jar:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144] at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144] at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2682) ~[hadoop-common-3.2.0.jar:?] ERROR | OMAudit | user=dchitlangia | ip=127.0.0.1 | op=CREATE_BUCKET {volume=volume80100, bucket=bucket83878, acls=[], isVersionEnabled=false, storageType=DISK, creationTime=0} | ret=FAILURE org.apache.hadoop.ozone.om.exceptions.OMException: User dchitlangia doesn't have CREATE permission to access volume at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1809) ~[classes/:?] at org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1769) ~[classes/:?] at org.apache.hadoop.ozone.om.OzoneManager.createBucket(OzoneManager.java:2092) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.createBucket(OzoneManagerRequestHandler.java:526) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handle(OzoneManagerRequestHandler.java:185) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequestDirectlyToOM(OzoneManagerProtocolServerSideTranslatorPB.java:192) ~[classes/:?] at org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB.submitRequest(OzoneManagerProtocolServerSideTranslatorPB.java:110) ~[classes/:?] at org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OzoneManagerService$2.callBlockingMethod(OzoneManagerProtocolProtos.java) ~[classes/:?] at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:524) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1025) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:876) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:822) ~[hadoop-common-3.2.0.jar:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144] at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_144] at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730) ~[hadoop-common-3.2.0.jar:?] at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2682) ~[hadoop-common-3.2.0.jar:?] {noformat} Wanted to get your thoughts on this. > Audit permission failures from authorizer > ----------------------------------------- > > Key: HDDS-1768 > URL: https://issues.apache.org/jira/browse/HDDS-1768 > Project: Hadoop Distributed Data Store > Issue Type: Sub-task > Reporter: Ajay Kumar > Assignee: Dinesh Chitlangia > Priority: Major > > Audit permission failures from authorizer -- This message was sent by Atlassian JIRA (v7.6.14#76016) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org