Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-3535

Audit logging should log denied accesses

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-alpha
    • Fix Version/s: 2.0.2-alpha
    • Component/s: namenode
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      FSNamesystem.java logs an audit log entry when a user successfully accesses the filesystem:

            logAuditEvent(UserGroupInformation.getLoginUser(),
                          Server.getRemoteIp(),
                          "concat", Arrays.toString(srcs), target, resultingStat);
      

      but there is no similar log when a user attempts to access the filesystem and is denied due to permissions. Competing systems do provide such logging of denied access attempts; we should too.

      1. hdfs-3535-2.txt
        21 kB
        Andy Isaacson
      2. hdfs-3535-1.txt
        22 kB
        Andy Isaacson
      3. hdfs-3535.txt
        14 kB
        Andy Isaacson

        Activity

        Arun C Murthy made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Arun C Murthy made changes -
        Fix Version/s 2.0.2-alpha [ 12322472 ]
        Fix Version/s 2.1.0-alpha [ 12321440 ]
        Eli Collins made changes -
        Summary audit logging should log denied accesses as well as permitted ones Audit logging should log denied accesses
        Eli Collins made changes -
        Status Patch Available [ 10002 ] Resolved [ 5 ]
        Hadoop Flags Reviewed [ 10343 ]
        Target Version/s 2.0.1-alpha [ 12321440 ]
        Fix Version/s 2.0.1-alpha [ 12321440 ]
        Resolution Fixed [ 1 ]
        Andy Isaacson made changes -
        Attachment hdfs-3535-2.txt [ 12533399 ]
        Andy Isaacson made changes -
        Attachment hdfs-3535-1.txt [ 12532473 ]
        Andy Isaacson made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Andy Isaacson made changes -
        Attachment hdfs-3535.txt [ 12532124 ]
        Andy Isaacson made changes -
        Field Original Value New Value
        Target Version/s 2.0.1-alpha [ 12321440 ]
        Andy Isaacson created issue -

          People

          • Assignee:
            Andy Isaacson
            Reporter:
            Andy Isaacson
          • Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development