I'm uploading a patch. This makes audit logging for the ACL APIs consistent with what we already do for setPermission. We'll log the path, the operation name, and the permissions after execution of the operation. The existing audit logging relies on FsPermission#toString, and we've already updated that method in a prior patch to append '+' if there is an ACL present. I also noticed that FSNamesystem#setAcl was missing its edit log sync, so I added that.
I also considered the possibility of putting the full ACL into the audit log entries. However, that could cause some very long audit log lines. I estimate an extra ~600 characters for an inode that uses the maximum of 32 ACL entries. There is also the matter of changing a lot of existing operations to fetch the ACL just for the sake of logging. Let's not do this right now, and we can always revisit it later if it's requested.