Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-9727

Lustre Audit with Changelogs

Details

    • 9223372036854775807

    Description

      Hi,

      As Lustre Changelogs are a centralized mechanism reporting activity on the file system, we would like to use it as a basis for an audit facility for Lustre. The aim is to be able to track all accesses to files residing on Lustre, so that they can be recorded and looked up later for auditing purposes.

      Changelogs cannot be used as-is to achieve auditing, because of the following limitations we have identified so far:
      (a) uid/gid information is not recorded;
      (b) OPEN and GEXATTR operations are not recorded;
      (c) CLOSE operations are not recorded if the file is opened in READ_ONLY mode;
      (d) Changelogs only record successful operations, not attempts.

      Further comments on limitations:
      (a) LU-1996 (https://review.whamcloud.com/4060) added support for jobid in Changelogs. If jobid is set to procname_uid, Changelogs will contain procname.uid information. So this could be used to know which user is doing the access. But jobid can be used for another purpose than audit, so we cannot always rely on it. We should create a new changelog extension similar to changelog_ext_jobid, that would hold uid/gid information.

      (b) and (c) We do understand that it would have a performance cost to record OPEN and GEXATTR operations, as it would mean generating a write in the Changelogs for a read operation. Similarly for a CLOSE when a file is opened read-only. We will have to exclude OPEN and GETXATTR from the default Changelogs mask, and potentially create a dedicated changelogs entry type for the 'close on read-only' case, excluded by default. Moreover, we will evaluate the performance cost when these operations are recorded.

      (d) Having all access attempts recorded will definitely increase MDS/MDT load, so we should examine carefully the performance impact of doing this. We would warn users about how much they would suffer by recording all access attempts.

      I will feed this ticket by pushing patches to address the various limitations identified here (and possibly others to come).

      Sebastien.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-11050 mdd: modifying changelog_deniednext does not yield immediate result

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. LU-10450 NULL pointer deref in mdd_changelog_data_store_by_fid+0xfa

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-10738 mdd: LBUG() from changelog_store_data_by_fid

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. LU-10750 mdd_close() should check if changelogs are enabled

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. LUDOC-391 document changelog audit feature

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. LU-15372 add projid to changelog

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. LU-10483 Replace FMODE_READ and FMODE_WRITE in lustre_user.h with MDS_* equivalents

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. LU-13308 update changelog_ext_nid to handle IPv6 addresses

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Task - A task that needs to be done. LU-15373 changelog improvements tracking

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            [LU-9727] Lustre Audit with Changelogs
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/32335/
            Subject: LU-9727 tests: exercise new changelog fields and records
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 773804640a5d7bb9d106714096dab30cd873501c

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/32335/ Subject: LU-9727 tests: exercise new changelog fields and records Project: fs/lustre-release Branch: master Current Patch Set: Commit: 773804640a5d7bb9d106714096dab30cd873501c
            gerrit Gerrit Updater added a comment -

            Quentin Bouget (quentin.bouget@cea.fr) uploaded a new patch: https://review.whamcloud.com/32335
            Subject: LU-9727 tests: exercise new changelog fields and records
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 5aeb9778b5943d05e27a5993d4faa7284ed829ff

            gerrit Gerrit Updater added a comment - Quentin Bouget (quentin.bouget@cea.fr) uploaded a new patch: https://review.whamcloud.com/32335 Subject: LU-9727 tests: exercise new changelog fields and records Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 5aeb9778b5943d05e27a5993d4faa7284ed829ff
            pjones Peter Jones added a comment -

            Functionality has landed for 2.11. Let's track the landing of the tests under a new ticket. This can still land after code freeze and before GA if it is ready in time

            pjones Peter Jones added a comment - Functionality has landed for 2.11. Let's track the landing of the tests under a new ticket. This can still land after code freeze and before GA if it is ready in time
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/31456/
            Subject: LU-9727 mdd: properly call recording_changelog()
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: dfa318a29b8fe708468989d67ac6928a42bec72d

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/31456/ Subject: LU-9727 mdd: properly call recording_changelog() Project: fs/lustre-release Branch: master Current Patch Set: Commit: dfa318a29b8fe708468989d67ac6928a42bec72d
            gerrit Gerrit Updater added a comment -

            Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/31456
            Subject: LU-9727 mdd: properly call recording_changelog()
            Project: fs/lustre-release
            Branch: master
            Current Patch Set: 1
            Commit: 806a23eeaa1992ee343a382a402cd02d30a9b51e

            gerrit Gerrit Updater added a comment - Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/31456 Subject: LU-9727 mdd: properly call recording_changelog() Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: 806a23eeaa1992ee343a382a402cd02d30a9b51e
            sbuisson Sebastien Buisson (Inactive) added a comment -

            Hi Quentin,

            I will try to have a look, thanks for letting me know.

            Cheers.

            sbuisson Sebastien Buisson (Inactive) added a comment - Hi Quentin, I will try to have a look, thanks for letting me know. Cheers.
            bougetq Quentin Bouget (Inactive) added a comment -

            Hi Sebastien,

            Could you have a look at LU-10738? I think one of the patches for LU-9727 might have caused it.

            Quentin

            bougetq Quentin Bouget (Inactive) added a comment - Hi Sebastien, Could you have a look at LU-10738 ? I think one of the patches for LU-9727 might have caused it. Quentin
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28314/
            Subject: LU-9727 lustre: record if enable_audit is set on nodemap
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 9dffcdd2fa07520aab89edd15f627518d3f6cff2

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/28314/ Subject: LU-9727 lustre: record if enable_audit is set on nodemap Project: fs/lustre-release Branch: master Current Patch Set: Commit: 9dffcdd2fa07520aab89edd15f627518d3f6cff2
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30970/
            Subject: LU-9727 doc: update llog_reader man page for Changelogs
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: a13e325130d60b2bec46f67517fa46892e368337

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30970/ Subject: LU-9727 doc: update llog_reader man page for Changelogs Project: fs/lustre-release Branch: master Current Patch Set: Commit: a13e325130d60b2bec46f67517fa46892e368337
            gerrit Gerrit Updater added a comment -

            Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30315/
            Subject: LU-9727 utils: make llog_reader decode changelog fields
            Project: fs/lustre-release
            Branch: master
            Current Patch Set:
            Commit: 8811869b1e88175d2ea6ead64f7c584b97db98bd

            gerrit Gerrit Updater added a comment - Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30315/ Subject: LU-9727 utils: make llog_reader decode changelog fields Project: fs/lustre-release Branch: master Current Patch Set: Commit: 8811869b1e88175d2ea6ead64f7c584b97db98bd

            People

              sbuisson Sebastien Buisson (Inactive)
              sbuisson Sebastien Buisson (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              19 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: