Re: Authorization Logging
Yep, I'm in the process of reviewing them now. On Wed, Mar 7, 2018 at 6:05 PM, Benjamin Mahler wrote: > Are you looking for a reviewer for these? Will Greg have time to review? > > On Thu, Mar 1, 2018 at 3:19 AM, Alexander Rojas > > wrote: > > > This is a good question on where to do the audit, should it happen in the > > authorization module itself, or in the caller. It doesn’t help that you > can > > authorize using approvers or the authorizer or the not so long ago > > introuced acceptors. There are also function wrappers that help to do so. > > > > The feeling we have had in the past is that the authorizer interface was > > created to accomodate the needs of the people writing authorization > modules > > but no so much its use inside our code base. That’s why I’ve been working > > in a set of patches to try to clean up a little bit the code that calls > > authorization based on ideas from BenH https://reviews.apache.org/r/ > 65311/ > > . > > > > Reviews/comments always welcomed > > > > Alexander Rojas > > alexander.ro...@gmail.com > > > > > > > > > > On 28. Feb 2018, at 23:52, Benjamin Mahler wrote: > > > > When touching some code, I noticed that authorization logging is > currently > > done rather inconsistently across the call-sites and many cases do not > log > > the request: > > > > $ grep -R -A 3 'LOG.*Authorizing' src > > > > Should authorization logging be the concern of an authorizer > > implementation? For audit purposes I could imagine this also being part > of > > a separate log that the authorizer maintains? > > > > Ben > > > > > > >
Re: Authorization Logging
Are you looking for a reviewer for these? Will Greg have time to review? On Thu, Mar 1, 2018 at 3:19 AM, Alexander Rojas wrote: > This is a good question on where to do the audit, should it happen in the > authorization module itself, or in the caller. It doesn’t help that you can > authorize using approvers or the authorizer or the not so long ago > introuced acceptors. There are also function wrappers that help to do so. > > The feeling we have had in the past is that the authorizer interface was > created to accomodate the needs of the people writing authorization modules > but no so much its use inside our code base. That’s why I’ve been working > in a set of patches to try to clean up a little bit the code that calls > authorization based on ideas from BenH https://reviews.apache.org/r/65311/ > . > > Reviews/comments always welcomed > > Alexander Rojas > alexander.ro...@gmail.com > > > > > On 28. Feb 2018, at 23:52, Benjamin Mahler wrote: > > When touching some code, I noticed that authorization logging is currently > done rather inconsistently across the call-sites and many cases do not log > the request: > > $ grep -R -A 3 'LOG.*Authorizing' src > > Should authorization logging be the concern of an authorizer > implementation? For audit purposes I could imagine this also being part of > a separate log that the authorizer maintains? > > Ben > > >
Re: Authorization Logging
This is a good question on where to do the audit, should it happen in the authorization module itself, or in the caller. It doesn’t help that you can authorize using approvers or the authorizer or the not so long ago introuced acceptors. There are also function wrappers that help to do so. The feeling we have had in the past is that the authorizer interface was created to accomodate the needs of the people writing authorization modules but no so much its use inside our code base. That’s why I’ve been working in a set of patches to try to clean up a little bit the code that calls authorization based on ideas from BenH https://reviews.apache.org/r/65311/ <https://reviews.apache.org/r/65311/> . Reviews/comments always welcomed Alexander Rojas alexander.ro...@gmail.com > On 28. Feb 2018, at 23:52, Benjamin Mahler wrote: > > When touching some code, I noticed that authorization logging is currently > done rather inconsistently across the call-sites and many cases do not log > the request: > > $ grep -R -A 3 'LOG.*Authorizing' src > > Should authorization logging be the concern of an authorizer implementation? > For audit purposes I could imagine this also being part of a separate log > that the authorizer maintains? > > Ben
Re: Authorization Logging
> On Feb 28, 2018, at 2:52 PM, Benjamin Mahler wrote: > > When touching some code, I noticed that authorization logging is currently > done rather inconsistently across the call-sites and many cases do not log > the request: > > $ grep -R -A 3 'LOG.*Authorizing' src > > Should authorization logging be the concern of an authorizer > implementation? For audit purposes I could imagine this also being part of > a separate log that the authorizer maintains? Separating this out from the authorizer was the idea behind https://issues.apache.org/jira/browse/MESOS-7678. J
Authorization Logging
When touching some code, I noticed that authorization logging is currently done rather inconsistently across the call-sites and many cases do not log the request: $ grep -R -A 3 'LOG.*Authorizing' src Should authorization logging be the concern of an authorizer implementation? For audit purposes I could imagine this also being part of a separate log that the authorizer maintains? Ben