HDFS-16925. Namenode audit log to only include IP address of client (#5407)

Reviewed-by: Takanobu Asanuma <tasanuma@apache.org> Signed-off-by: Tao Li <tomscut@apache.org>
2023-02-20 16:26:32 -08:00 · 2023-02-20 16:26:32 -08:00 · 88914cada0
commit 88914cada0
parent a3b500d046
2 changed files with 11 additions and 10 deletions
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java
@ -8787,9 +8787,10 @@ public void logAuditEvent(boolean succeeded, String userName,
        src = escapeJava(src);
        dst = escapeJava(dst);
        sb.setLength(0);
+        String ipAddr = addr != null ? "/" + addr.getHostAddress() : "null";
        sb.append("allowed=").append(succeeded).append("\t")
            .append("ugi=").append(userName).append("\t")
-            .append("ip=").append(addr).append("\t")
+            .append("ip=").append(ipAddr).append("\t")
            .append("cmd=").append(cmd).append("\t")
            .append("src=").append(src).append("\t")
            .append("dst=").append(dst).append("\t");
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSNamesystemLockReport.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestFSNamesystemLockReport.java
@ -103,7 +103,7 @@ public void test() throws Exception {
    FSDataOutputStream os = testLockReport(() ->
        userfs.create(new Path("/file")),
        ".* by create \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
        "perm=bob:hadoop:rw-r--r--\\) .*");
    os.close();

@ -111,7 +111,7 @@ public void test() throws Exception {
    // ip=/127.0.0.1,src=/file,dst=null,perm=null)"
    FSDataInputStream is = testLockReport(() -> userfs.open(new Path("/file")),
        ".* by open \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
        "perm=null\\) .*");
    is.close();

@ -120,49 +120,49 @@ public void test() throws Exception {
    testLockReport(() ->
        userfs.setPermission(new Path("/file"), new FsPermission(644)),
        ".* by setPermission \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
        "perm=bob:hadoop:-w----r-T\\) .*");

    // The log output should contain "by setOwner (ugi=bob (auth:SIMPLE),
    // ip=/127.0.0.1,src=/file,dst=null,perm=alice:group1:-w----r-T)"
    testLockReport(() -> userfs.setOwner(new Path("/file"), "alice", "group1"),
        ".* by setOwner \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
        "perm=alice:group1:-w----r-T\\) .*");

    // The log output should contain "by listStatus (ugi=bob (auth:SIMPLE),
    // ip=/127.0.0.1,src=/,dst=null,perm=null)"
    testLockReport(() -> userfs.listStatus(new Path("/")),
        ".* by listStatus \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/,dst=null," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/,dst=null," +
        "perm=null\\) .*");

    // The log output should contain "by getfileinfo (ugi=bob (auth:SIMPLE),
    // ip=/127.0.0.1,src=/file,dst=null,perm=null)"
    testLockReport(() -> userfs.getFileStatus(new Path("/file")),
        ".* by getfileinfo \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=null," +
        "perm=null\\) .*");

    // The log output should contain "by mkdirs (ugi=bob (auth:SIMPLE),
    // ip=/127.0.0.1,src=/dir,dst=null,perm=bob:hadoop:rwxr-xr-x)"
    testLockReport(() -> userfs.mkdirs(new Path("/dir")),
        ".* by mkdirs \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/dir,dst=null," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/dir,dst=null," +
        "perm=bob:hadoop:rwxr-xr-x\\) .*");

    // The log output should contain "by delete (ugi=bob (auth:SIMPLE),
    // ip=/127.0.0.1,src=/file2,dst=null,perm=null)"
    testLockReport(() -> userfs.rename(new Path("/file"), new Path("/file2")),
        ".* by rename \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=/file2," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file,dst=/file2," +
        "perm=alice:group1:-w----r-T\\) .*");

    // The log output should contain "by rename (ugi=bob (auth:SIMPLE),
    // ip=/127.0.0.1,src=/file,dst=/file2,perm=alice:group1:-w----r-T)"
    testLockReport(() -> userfs.delete(new Path("/file2"), false),
        ".* by delete \\(ugi=bob \\(auth:SIMPLE\\)," +
-        "ip=/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file2,dst=null," +
+        "ip=[a-zA-Z0-9.]+/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3},src=/file2,dst=null," +
        "perm=null\\) .*");
  }