Hadoop HDFS
  1. Hadoop HDFS
  2. HDFS-3535

Audit logging should log denied accesses

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-alpha
    • Fix Version/s: 2.0.2-alpha
    • Component/s: namenode
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      FSNamesystem.java logs an audit log entry when a user successfully accesses the filesystem:

            logAuditEvent(UserGroupInformation.getLoginUser(),
                          Server.getRemoteIp(),
                          "concat", Arrays.toString(srcs), target, resultingStat);
      

      but there is no similar log when a user attempts to access the filesystem and is denied due to permissions. Competing systems do provide such logging of denied access attempts; we should too.

      1. hdfs-3535.txt
        14 kB
        Andy Isaacson
      2. hdfs-3535-1.txt
        22 kB
        Andy Isaacson
      3. hdfs-3535-2.txt
        21 kB
        Andy Isaacson

        Activity

        Andy Isaacson created issue -
        Andy Isaacson made changes -
        Field Original Value New Value
        Target Version/s 2.0.1-alpha [ 12321440 ]
        Andy Isaacson made changes -
        Attachment hdfs-3535.txt [ 12532124 ]
        Andy Isaacson made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12532124/hdfs-3535.txt
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs:

        org.apache.hadoop.hdfs.server.namenode.TestFsck
        org.apache.hadoop.hdfs.server.blockmanagement.TestBlocksWithNotEnoughRacks
        org.apache.hadoop.hdfs.TestFileLengthOnClusterRestart

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2654//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2654//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12532124/hdfs-3535.txt against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 javadoc. The javadoc tool did not generate any warning messages. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs: org.apache.hadoop.hdfs.server.namenode.TestFsck org.apache.hadoop.hdfs.server.blockmanagement.TestBlocksWithNotEnoughRacks org.apache.hadoop.hdfs.TestFileLengthOnClusterRestart +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2654//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2654//console This message is automatically generated.
        Hide
        Andy Isaacson added a comment -

        Attaching updated diff including unit test.

        Show
        Andy Isaacson added a comment - Attaching updated diff including unit test.
        Andy Isaacson made changes -
        Attachment hdfs-3535-1.txt [ 12532473 ]
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12532473/hdfs-3535-1.txt
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 2 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs:

        org.apache.hadoop.hdfs.TestDatanodeBlockScanner

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2669//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2669//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12532473/hdfs-3535-1.txt against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified test files. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 javadoc. The javadoc tool did not generate any warning messages. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests in hadoop-hdfs-project/hadoop-hdfs: org.apache.hadoop.hdfs.TestDatanodeBlockScanner +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2669//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2669//console This message is automatically generated.
        Hide
        Andy Isaacson added a comment -

        The TestDatanodeBlockScanner failure appears to be unrelated.

        Show
        Andy Isaacson added a comment - The TestDatanodeBlockScanner failure appears to be unrelated.
        Hide
        Colin Patrick McCabe added a comment -

        Looks pretty good.

        It seems like this happens a lot:

        if (auditLog.isInfoEnabled() && isExternalInvocation()) { logAuditEvent(...) }
        

        Is it possible to roll that into a function, do you think?

        Show
        Colin Patrick McCabe added a comment - Looks pretty good. It seems like this happens a lot: if (auditLog.isInfoEnabled() && isExternalInvocation()) { logAuditEvent(...) } Is it possible to roll that into a function, do you think?
        Hide
        Eli Collins added a comment -

        Looks good Andy.

        The one audit log that doesn't have a corresponding log for failure is logFsckEvent, though given that we get the ugi from the request it seems like that case could result in an ACE as well right?

        Style nits:

        • Let's use fooInternal vs fooInt to match the existing "fooInternal" methods
        • In logAuditEvent I'd rename "succeeded" to "allowed" to match the log and since we don't differentiate between succeeded and allowed, ie we're not logging things that didn't succeed (eg IOE), just ones that weren't allowed (ACE)

        Per Colin, what do you think about (in a separate change) moving the two checks inside logAuditEvent, eg

        logAuditEvent() {
          if (!auditLog.isInfoEnabled() || !isExternalInvocation()) {
            return;
          }
          ..
        }
        

        Normally the checks are used before the method invocation if we're doing expensive things to create the args (eg lots of string concatenation) not to save the cost of the method invocation. Doesn't look like that's the case here (we're not constructing args) so we could just call logAuditEvent directly everywhere.

        Show
        Eli Collins added a comment - Looks good Andy. The one audit log that doesn't have a corresponding log for failure is logFsckEvent, though given that we get the ugi from the request it seems like that case could result in an ACE as well right? Style nits: Let's use fooInternal vs fooInt to match the existing "fooInternal" methods In logAuditEvent I'd rename "succeeded" to "allowed" to match the log and since we don't differentiate between succeeded and allowed, ie we're not logging things that didn't succeed (eg IOE), just ones that weren't allowed (ACE) Per Colin, what do you think about (in a separate change) moving the two checks inside logAuditEvent, eg logAuditEvent() { if (!auditLog.isInfoEnabled() || !isExternalInvocation()) { return ; } .. } Normally the checks are used before the method invocation if we're doing expensive things to create the args (eg lots of string concatenation) not to save the cost of the method invocation. Doesn't look like that's the case here (we're not constructing args) so we could just call logAuditEvent directly everywhere.
        Hide
        Eli Collins added a comment -

        Forgot to mention, in TestAuditLogs use @Before and @After to setup/teardown cluster and fs in one place (see other tests for an example)

        Show
        Eli Collins added a comment - Forgot to mention, in TestAuditLogs use @Before and @After to setup/teardown cluster and fs in one place (see other tests for an example)
        Hide
        Andy Isaacson added a comment -

        The one audit log that doesn't have a corresponding log for failure is logFsckEvent, though given that we get the ugi from the request it seems like that case could result in an ACE as well right?

        the fsck audit event is logged before the fsck command is run, so it can't fail to generate the audit event. Also fsck is special in that it's implemented as a URL fetch, so I don't think the UGI is enforced. This is probably a bug, and the audit logging will need to be fixed when that bug is fixed.

        Let's use fooInternal vs fooInt to match the existing "fooInternal" methods

        That would collide with several existing uses: concatInternal, createSymlinkInternal, startFileInternal, renameToInternal, etc. I specifically chose a suffix not previously used to avoid code churn. Perhaps a different suffix than "Int" would convey this better, LMK if you have any good ideas.

        Normally the checks are used before the method invocation if we're doing expensive things to create the args (eg lots of string concatenation) not to save the cost of the method invocation. Doesn't look like that's the case here (we're not constructing args) so we could just call logAuditEvent directly everywhere.

        There are a bunch of uses of logAuditEvent that do need to check if audit logging is enabled before constructing log messages, etc. I considered refactoring them all and concluded that it was out of scope for this change. I decided not to change the existing idiom (verbose though it is) before refactoring all users of the interface, which should be a separate change.

        Show
        Andy Isaacson added a comment - The one audit log that doesn't have a corresponding log for failure is logFsckEvent, though given that we get the ugi from the request it seems like that case could result in an ACE as well right? the fsck audit event is logged before the fsck command is run, so it can't fail to generate the audit event. Also fsck is special in that it's implemented as a URL fetch, so I don't think the UGI is enforced. This is probably a bug, and the audit logging will need to be fixed when that bug is fixed. Let's use fooInternal vs fooInt to match the existing "fooInternal" methods That would collide with several existing uses: concatInternal, createSymlinkInternal, startFileInternal, renameToInternal, etc. I specifically chose a suffix not previously used to avoid code churn. Perhaps a different suffix than "Int" would convey this better, LMK if you have any good ideas. Normally the checks are used before the method invocation if we're doing expensive things to create the args (eg lots of string concatenation) not to save the cost of the method invocation. Doesn't look like that's the case here (we're not constructing args) so we could just call logAuditEvent directly everywhere. There are a bunch of uses of logAuditEvent that do need to check if audit logging is enabled before constructing log messages, etc. I considered refactoring them all and concluded that it was out of scope for this change. I decided not to change the existing idiom (verbose though it is) before refactoring all users of the interface, which should be a separate change.
        Hide
        Andy Isaacson added a comment -

        Forgot to mention, in TestAuditLogs use @Before and @After to setup/teardown cluster and fs in one place (see other tests for an example)

        Thanks, that makes the tests a lot nicer! I'll post a new patch using that.

        Show
        Andy Isaacson added a comment - Forgot to mention, in TestAuditLogs use @Before and @After to setup/teardown cluster and fs in one place (see other tests for an example) Thanks, that makes the tests a lot nicer! I'll post a new patch using that.
        Hide
        Andy Isaacson added a comment -

        Attaching hdfs-3535-2.txt adopting @Before/@After annotations.

        Show
        Andy Isaacson added a comment - Attaching hdfs-3535-2.txt adopting @Before/@After annotations.
        Andy Isaacson made changes -
        Attachment hdfs-3535-2.txt [ 12533399 ]
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12533399/hdfs-3535-2.txt
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 2 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2700//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2700//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12533399/hdfs-3535-2.txt against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified test files. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 javadoc. The javadoc tool did not generate any warning messages. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in hadoop-hdfs-project/hadoop-hdfs. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HDFS-Build/2700//testReport/ Console output: https://builds.apache.org/job/PreCommit-HDFS-Build/2700//console This message is automatically generated.
        Hide
        Eli Collins added a comment -

        +1 latest patch looks good

        There are a bunch of uses of logAuditEvent that do need to check if audit logging is enabled before constructing log messages.

        Why? Doesn't seem like the arg evaluation has side effects or is expensive but maybe I'm missing something. Agree this cleanup should be a separate change, file a jira?

        Show
        Eli Collins added a comment - +1 latest patch looks good There are a bunch of uses of logAuditEvent that do need to check if audit logging is enabled before constructing log messages. Why? Doesn't seem like the arg evaluation has side effects or is expensive but maybe I'm missing something. Agree this cleanup should be a separate change, file a jira?
        Hide
        Eli Collins added a comment -

        I've committed this and merged to branch-2. Thanks Andy!

        Show
        Eli Collins added a comment - I've committed this and merged to branch-2. Thanks Andy!
        Eli Collins made changes -
        Status Patch Available [ 10002 ] Resolved [ 5 ]
        Hadoop Flags Reviewed [ 10343 ]
        Target Version/s 2.0.1-alpha [ 12321440 ]
        Fix Version/s 2.0.1-alpha [ 12321440 ]
        Resolution Fixed [ 1 ]
        Eli Collins made changes -
        Summary audit logging should log denied accesses as well as permitted ones Audit logging should log denied accesses
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Common-trunk-Commit #2390 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2390/)
        HDFS-3535. Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144)

        Result = SUCCESS
        eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Show
        Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #2390 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/2390/ ) HDFS-3535 . Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144) Result = SUCCESS eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk-Commit #2459 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2459/)
        HDFS-3535. Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144)

        Result = SUCCESS
        eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #2459 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/2459/ ) HDFS-3535 . Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144) Result = SUCCESS eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk-Commit #2409 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2409/)
        HDFS-3535. Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144)

        Result = FAILURE
        eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #2409 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/2409/ ) HDFS-3535 . Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144) Result = FAILURE eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Hide
        Andy Isaacson added a comment -

        Why? Doesn't seem like the arg evaluation has side effects or is expensive but maybe I'm missing something.

        FSNamesystem.java-          final HdfsFileStatus stat = dir.getFileInfo(src, false);
        FSNamesystem.java:          logAuditEvent(UserGroupInformation.getCurrentUser(),
        ...
        FSNamesystem.java-      final HdfsFileStatus stat = dir.getFileInfo(src, false);
        FSNamesystem.java:      logAuditEvent(UserGroupInformation.getCurrentUser(),
        ...
        FSNamesystem.java-      StringBuilder cmd = new StringBuilder("rename options=");
        FSNamesystem.java-      for (Rename option : options) {
        FSNamesystem.java-        cmd.append(option.value()).append(" ");
        FSNamesystem.java-      }
        FSNamesystem.java:      logAuditEvent(UserGroupInformation.getCurrentUser(), Server.getRemote
        

        Agree this cleanup should be a separate change, file a jira?

        Sure, filed HDFS-3569.

        Show
        Andy Isaacson added a comment - Why? Doesn't seem like the arg evaluation has side effects or is expensive but maybe I'm missing something. FSNamesystem.java- final HdfsFileStatus stat = dir.getFileInfo(src, false ); FSNamesystem.java: logAuditEvent(UserGroupInformation.getCurrentUser(), ... FSNamesystem.java- final HdfsFileStatus stat = dir.getFileInfo(src, false ); FSNamesystem.java: logAuditEvent(UserGroupInformation.getCurrentUser(), ... FSNamesystem.java- StringBuilder cmd = new StringBuilder( "rename options=" ); FSNamesystem.java- for (Rename option : options) { FSNamesystem.java- cmd.append(option.value()).append( " " ); FSNamesystem.java- } FSNamesystem.java: logAuditEvent(UserGroupInformation.getCurrentUser(), Server.getRemote Agree this cleanup should be a separate change, file a jira? Sure, filed HDFS-3569 .
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Hdfs-trunk #1089 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1089/)
        HDFS-3535. Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144)

        Result = FAILURE
        eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Show
        Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #1089 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1089/ ) HDFS-3535 . Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144) Result = FAILURE eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Hide
        Hudson added a comment -

        Integrated in Hadoop-Mapreduce-trunk #1122 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1122/)
        HDFS-3535. Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144)

        Result = FAILURE
        eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144
        Files :

        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java
        • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Show
        Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1122 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1122/ ) HDFS-3535 . Audit logging should log denied accesses. Contributed by Andy Isaacson (Revision 1354144) Result = FAILURE eli : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1354144 Files : /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/CHANGES.txt /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestAuditLogs.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFsck.java
        Arun C Murthy made changes -
        Fix Version/s 2.0.2-alpha [ 12322472 ]
        Fix Version/s 2.1.0-alpha [ 12321440 ]
        Arun C Murthy made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Andy Isaacson
            Reporter:
            Andy Isaacson
          • Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development