curie71 opened a new pull request, #5158:
URL: https://github.com/apache/hadoop/pull/5158
ClientRMService forget to record some audit logs after accessCheck and just
throw an YarnException("User does not have privilege to do something……").
Here is an example in method "getContainers":
```java
@Override public GetContainersResponse getContainers(GetContainersRequest
request)
throws YarnException, IOException {
......
boolean allowAccess = checkAccess(callerUGI, application.getUser(),
ApplicationAccessType.VIEW_APP, application);
GetContainersResponse response = null;
if (allowAccess) {
......
// a logSuccess should be called here.
} else {
// a logFailure should be called here.
throw new YarnException("User " + callerUGI.getShortUserName() + "
does not have privilege to see this application " + appId);
}
return response;
}
```
And other methods(e.g. signalToContainer) in this class logSuccess or
logFailure after accessCheck.
I think the requests from users are very critical for auditing and audit
logs should be recorded here.
Also, I found some AuditConstants in RMAuditLogger for these request (except
getApplicationReport), so I guess write audit log for them is in the
developer's planning but maybe forgotten.
```java
public class RMAuditLogger {
......
public static class AuditConstants {
......
public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
public static final String GET_APP_ATTEMPT_REPORT
= "Get Application Attempt Report";
public static final String GET_CONTAINERS = "Get Containers";
public static final String GET_CONTAINER_REPORT = "Get Container Report";
......
```
<!--
Thanks for sending a pull request!
1. If this is your first time, please read our contributor guidelines:
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
2. Make sure your PR title starts with JIRA issue id, e.g.,
'HADOOP-17799. Your PR title ...'.
-->
### Description of PR
### How was this patch tested?
### For code changes:
- [ ] Does the title or this PR starts with the corresponding JIRA issue id
(e.g. 'HADOOP-17799. Your PR title ...')?
- [ ] Object storage: have the integration tests been executed and the
endpoint declared according to the connector-specific documentation?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`,
`NOTICE-binary` files?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
