[
https://issues.apache.org/jira/browse/CALCITE-1311?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15371159#comment-15371159
]
Josh Elser commented on CALCITE-1311:
-------------------------------------
bq. It would very nice to have this, but is it scope creep? If the backend
server already has auditing it wouldn't want Avatica doing it at another level.
Good point. It might very well be duplicative of something that backend system
is already doing. Definitely should be an optional thing (if built)
bq. Are we talking about data auditing here (e.g. if there is a batch insert of
100 rows, write those 100 rows out somewhere)?
bq. How does this capability compare with metrics? Events such as "connection
created", "statement canceled" are similar to those that would be gathered by
metrics. So, would auditing and metrics write to the same place, and would they
use the same mechanism?
For the read side, I think it's pretty straightforward to just log the SQL
statement. For writes and metadata operations, I'm not sure what exactly these
would look like (would we log the Avatica method call? The insert/update
template assuming that it's a prepared statement?). How it fits in with metrics
is also a concern to avoid two features potentially colliding. My initial
thoughts would be that metrics are raw timing data for the Avatica calls
whereas this would be a "user level" record of what happened. We would
definitely need to make sure that the delineation between the two are clear.
Definitely still hashing out what this would look like; more feedback/opinions
are welcomed :)
> Add high-level record of interactions with the avatica server
> -------------------------------------------------------------
>
> Key: CALCITE-1311
> URL: https://issues.apache.org/jira/browse/CALCITE-1311
> Project: Calcite
> Issue Type: New Feature
> Components: avatica
> Reporter: Josh Elser
>
> It would be nice to have the ability to configure the Avatica server to
> create what is equivalent to an "audit log".
> This functionality would provide administrators the ability to inspect what
> queries were run and the user (client address and optionally the Kerberos
> identity).
> It would be nice to implement this as a framework and provide an initial
> "sink" binding which just writes to a file. This would let us push these logs
> to other systems automatically which would be nice.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
