The general phenomena has been to Audit log all successful commands and the ones resulting in AccessControlException. For ACLs, we do have a unit test covering the AccessControlException/Failure cases. Would be better if we can have a unit test covering the successful ACL APIs and ACL commands over FS shell as well.
Additionally, FS Shell getfacl command has a performance improvement (
HADOOP-12776) where by the shell would skip the call to getAclStatus if the permission bits in getFileInfo() doesn't have ACL bit set. Good to have Audit log test covering this case.