adoroszlai commented on a change in pull request #3163:
URL: https://github.com/apache/ozone/pull/3163#discussion_r828398401
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/security/OMRenewDelegationTokenRequest.java
##########
@@ -142,13 +151,18 @@ public OMClientResponse
validateAndUpdateCache(OzoneManager ozoneManager,
} catch (IOException ex) {
LOG.error("Error in Updating Renew DelegationToken {}",
ozoneTokenIdentifierToken, ex);
+ exception = ex;
omClientResponse = new OMRenewDelegationTokenResponse(null, -1L,
createErrorOMResponse(omResponse, ex));
} finally {
addResponseToDoubleBuffer(transactionLogIndex, omClientResponse,
ozoneManagerDoubleBufferHelper);
}
+ auditLog(auditLogger,
+ buildAuditMessage(OMAction.GET_DELEGATION_TOKEN, auditMap, exception,
Review comment:
Thanks @JyotinderSingh for updating the patch, changes look good.
Regarding failure logging, I think we can improve it a bit.
I have executed the following test:
```
kinit -kt /etc/security/keytabs/testuser.keytab testuser/[email protected]
ozone sh token get
kinit -kt /etc/security/keytabs/testuser2.keytab testuser2/[email protected]
ozone sh token renew
```
Result in audit log:
```
ERROR | OMAudit | user= | ip= | op=RENEW_DELEGATION_TOKEN {username=,
clientID=client-17A77FF07B03} | ret=FAILURE | TOKEN_ERROR_OTHER
org.apache.hadoop.ozone.om.exceptions.OMException: Delegation token renewal
failed for dt: Kind: OzoneToken, Service: 192.168.240.2:9862, Ident: 08 01 1a
17 74 65 73 74 75 73 65 72 2f 6f 6d 40 45 58 41 4d 50 4c 45 2e 43 4f 4d 22 08
74 65 73 74 75 73 65 72 2a 00 30 90 c7 a7 9f f9 2f 38 90 cf d9 bf fb 2f 40 02
48 01 5a 0f 34 30 37 31 31 34 38 33 38 34 35 30 30 35 37 7a 12 6f 6d 53 65 72
76 69 63 65 49 64 44 65 66 61 75 6c 74
at
org.apache.hadoop.ozone.om.OzoneManager.renewDelegationToken(OzoneManager.java:2164)
at
org.apache.hadoop.ozone.om.request.security.OMRenewDelegationTokenRequest.preExecute(OMRenewDelegationTokenRequest.java:77)
```
User information (username, IP) is missing. It can be fixed by getting and
using the updated request by calling `super.preExecute`. Example from
`OMRenewDelegationTokenRequest`:
```
@Override
public OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
OMRequest request = super.preExecute(ozoneManager);
RenewDelegationTokenRequestProto renewDelegationTokenRequest =
request.getRenewDelegationTokenRequest();
AuditLogger auditLogger = ozoneManager.getAuditLogger();
Map<String, String> auditMap = null;
long renewTime;
try {
Token<OzoneTokenIdentifier> token =
OMPBHelper.convertToDelegationToken(
renewDelegationTokenRequest.getToken());
auditMap = buildTokenAuditMap(token);
// Call OM to renew token
renewTime = ozoneManager.renewDelegationToken(token);
} catch (IOException ioe) {
if (auditMap == null) {
auditMap = new LinkedHashMap<>();
}
auditLog(auditLogger,
buildAuditMessage(OMAction.RENEW_DELEGATION_TOKEN, auditMap, ioe,
request.getUserInfo()));
throw ioe;
}
...
```
With this, audit log contains similar information for failure as it does for
success:
```
ERROR | OMAudit | user=testuser2/[email protected] | ip=172.19.0.2 |
op=RENEW_DELEGATION_TOKEN {kind=OzoneToken, service=172.19.0.10:9862} |
ret=FAILURE | TOKEN_ERROR_OTHER ...
```
Similar change can be applied to the other requests.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
