[jira] [Commented] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

ASF GitHub Bot (Jira) Fri, 09 Dec 2022 16:19:04 -0800


    [ 
https://issues.apache.org/jira/browse/YARN-11382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645525#comment-17645525
 ]


ASF GitHub Bot commented on YARN-11382:
---------------------------------------

hadoop-yetus commented on PR #5158:
URL: https://github.com/apache/hadoop/pull/5158#issuecomment-1344934632

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |:----:|----------:|--------:|:--------:|:-------:|
   | +0 :ok: |  reexec  |   1m  2s |  |  Docker mode activated.  |
   |||| _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  jsonlint  |   0m  0s |  |  jsonlint was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
   |||| _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  14m 41s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  28m 57s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  25m  1s |  |  trunk passed with JDK 
Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04  |
   | +1 :green_heart: |  compile  |  21m 50s |  |  trunk passed with JDK 
Private Build-1.8.0_352-8u352-ga-1~20.04-b08  |
   | +1 :green_heart: |  checkstyle  |   3m 58s |  |  trunk passed  |
   | +1 :green_heart: |  mvnsite  |  20m  0s |  |  trunk passed  |
   | -1 :x: |  javadoc  |   1m 21s | 
[/branch-javadoc-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/branch-javadoc-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt)
 |  root in trunk failed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.  |
   | +1 :green_heart: |  javadoc  |   7m 23s |  |  trunk passed with JDK 
Private Build-1.8.0_352-8u352-ga-1~20.04-b08  |
   | -1 :x: |  spotbugs  |  35m 46s | 
[/branch-spotbugs-root-warnings.html](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/branch-spotbugs-root-warnings.html)
 |  root in trunk has 1 extant spotbugs warnings.  |
   | +1 :green_heart: |  shadedclient  |  57m 51s |  |  branch has no errors 
when building and testing our client artifacts.  |
   |||| _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 22s |  |  Maven dependency ordering for patch  |
   | -1 :x: |  mvninstall  |   0m 30s | 
[/patch-mvninstall-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-mvninstall-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt)
 |  hadoop-yarn-server-resourcemanager in the patch failed.  |
   | -1 :x: |  mvninstall  |   7m  5s | 
[/patch-mvninstall-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-mvninstall-root.txt)
 |  root in the patch failed.  |
   | -1 :x: |  compile  |  10m 21s | 
[/patch-compile-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-compile-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt)
 |  root in the patch failed with JDK 
Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.  |
   | -1 :x: |  javac  |  10m 21s | 
[/patch-compile-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-compile-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt)
 |  root in the patch failed with JDK 
Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.  |
   | -1 :x: |  compile  |   9m 17s | 
[/patch-compile-root-jdkPrivateBuild-1.8.0_352-8u352-ga-1~20.04-b08.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-compile-root-jdkPrivateBuild-1.8.0_352-8u352-ga-1~20.04-b08.txt)
 |  root in the patch failed with JDK Private 
Build-1.8.0_352-8u352-ga-1~20.04-b08.  |
   | -1 :x: |  javac  |   9m 18s | 
[/patch-compile-root-jdkPrivateBuild-1.8.0_352-8u352-ga-1~20.04-b08.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-compile-root-jdkPrivateBuild-1.8.0_352-8u352-ga-1~20.04-b08.txt)
 |  root in the patch failed with JDK Private 
Build-1.8.0_352-8u352-ga-1~20.04-b08.  |
   | -1 :x: |  blanks  |   0m  0s | 
[/blanks-eol.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/blanks-eol.txt)
 |  The patch has 12 line(s) that end in blanks. Use git apply --whitespace=fix 
<<patch_file>>. Refer https://git-scm.com/docs/git-apply  |
   | -0 :warning: |  checkstyle  |   3m 41s | 
[/results-checkstyle-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/results-checkstyle-root.txt)
 |  root: The patch generated 1 new + 28 unchanged - 0 fixed = 29 total (was 
28)  |
   | -1 :x: |  mvnsite  |   3m 24s | 
[/patch-mvnsite-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-mvnsite-root.txt)
 |  root in the patch failed.  |
   | -1 :x: |  javadoc  |   1m  5s | 
[/patch-javadoc-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-javadoc-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt)
 |  root in the patch failed with JDK 
Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.  |
   | +1 :green_heart: |  javadoc  |   7m 16s |  |  the patch passed with JDK 
Private Build-1.8.0_352-8u352-ga-1~20.04-b08  |
   | -1 :x: |  spotbugs  |   0m 32s | 
[/patch-spotbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-spotbugs-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt)
 |  hadoop-yarn-server-resourcemanager in the patch failed.  |
   | -1 :x: |  spotbugs  |  15m 11s | 
[/patch-spotbugs-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-spotbugs-root.txt)
 |  root in the patch failed.  |
   | -1 :x: |  shadedclient  |   8m 55s |  |  patch has errors when building 
and testing our client artifacts.  |
   |||| _ Other Tests _ |
   | -1 :x: |  unit  | 570m 18s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/patch-unit-root.txt)
 |  root in the patch failed.  |
   | -1 :x: |  asflicense  |   1m 21s | 
[/results-asflicense.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/results-asflicense.txt)
 |  The patch generated 2 ASF License warnings.  |
   |  |   | 829m 16s |  |  |
   
   
   | Reason | Tests |
   |-------:|:------|
   | Failed junit tests | hadoop.hdfs.TestLeaseRecovery2 |
   
   
   | Subsystem | Report/Notes |
   |----------:|:-------------|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5158 |
   | Optional Tests | dupname asflicense codespell detsecrets compile javac 
javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle jsonlint |
   | uname | Linux 04ecd34e4450 4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 
18:16:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | trunk / 1876c6ca0e32952a3dfd15017297d809487afe04 |
   | Default Java | Private Build-1.8.0_352-8u352-ga-1~20.04-b08 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04 
/usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_352-8u352-ga-1~20.04-b08 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/testReport/ |
   | Max. process+thread count | 1992 (vs. ulimit of 5500) |
   | modules | C: 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager
 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp
 . U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/4/console |
   | versions | git=2.25.1 maven=3.6.3 spotbugs=4.2.2 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> ClientRMService forget to record some audit logs after accessCheck
> ------------------------------------------------------------------
>
>                 Key: YARN-11382
>                 URL: https://issues.apache.org/jira/browse/YARN-11382
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: api, RM
>    Affects Versions: 3.3.4
>            Reporter: Beibei Zhao
>            Priority: Major
>              Labels: audit, log, pull-request-available
>
> *ClientRMService* forget to record some *audit logs* after *accessCheck* and 
> just throw an YarnException("User does not have privilege to do something……").
> Here is an example in method "getContainers":
> {code:java}
> @Override public GetContainersResponse getContainers(GetContainersRequest 
> request)           
>     throws YarnException, IOException { 
>     ...... 
>     boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
> ApplicationAccessType.VIEW_APP, application); 
>     GetContainersResponse response = null; 
>     if (allowAccess) { 
>         ...... 
>         // a logSuccess should be called here. 
>     } else { 
>         // a logFailure should be called here. 
>         throw new YarnException("User " + callerUGI.getShortUserName() + " 
> does not have privilege to see this application " + appId); 
>     } 
>     return response; 
> }{code}
> And other methods(e.g. signalToContainer) in this class logSuccess or 
> logFailure after {*}accessCheck{*}.
> I think the requests from users are very critical for auditing and audit logs 
> should  be recorded here.
>  
> Also, I found some *AuditConstants* in *RMAuditLogger* for these request 
> (except getApplicationReport), so I guess write audit log for them is in the 
> developer's planning but maybe forgotten.
> {code:java}
> public class RMAuditLogger {
>   ......
>     public static class AuditConstants {
>     ......
>     public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
>     public static final String GET_APP_ATTEMPT_REPORT
>         = "Get Application Attempt Report";
>     public static final String GET_CONTAINERS = "Get Containers";
>     public static final String GET_CONTAINER_REPORT = "Get Container Report";
>     ......{code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Commented] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

Reply via email to