[jira] [Commented] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

Fri, 30 Dec 2022 07:55:08 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-11382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17653152#comment-17653152
 ] 

ASF GitHub Bot commented on YARN-11382:
---------------------------------------

curie71 opened a new pull request, #5263:
URL: https://github.com/apache/hadoop/pull/5263

   YARN-11382 ClientRMService forget to record some audit logs after 
checkAccess and just throw an YarnException("User does not have privilege to do 
something……").
   Here is an example in method "getContainers":
   ```java
   @Override public GetContainersResponse getContainers(GetContainersRequest 
request)           
       throws YarnException, IOException { 
       ...... 
       boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
ApplicationAccessType.VIEW_APP, application); 
       GetContainersResponse response = null; 
       if (allowAccess) { 
           ...... 
           // a logSuccess should be called here. 
       } else { 
           // a logFailure should be called here. 
           throw new YarnException("User " + callerUGI.getShortUserName() + " 
does not have privilege to see this application " + appId); 
       } 
       return response; 
   }
   ```
   And other methods(e.g. signalToContainer) in this class logSuccess or 
logFailure after accessCheck.
   I think the requests from users are very critical for auditing and audit 
logs should  be recorded here.
   
   Also, I found some AuditConstants in RMAuditLogger for these request (except 
getApplicationReport), so I guess write audit log for them is in the 
developer's planning but maybe forgotten.
   ```java
   public class RMAuditLogger {
     ......
       public static class AuditConstants {
       ......
       public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
       public static final String GET_APP_ATTEMPT_REPORT
           = "Get Application Attempt Report";
       public static final String GET_CONTAINERS = "Get Containers";
       public static final String GET_CONTAINER_REPORT = "Get Container Report";
       ......
   ```
   
   <!--
     Thanks for sending a pull request!
       1. If this is your first time, please read our contributor guidelines: 
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
       2. Make sure your PR title starts with JIRA issue id, e.g., 
'HADOOP-17799. Your PR title ...'.
   -->
   
   ### Description of PR
   
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   




> ClientRMService forget to record some audit logs after accessCheck
> ------------------------------------------------------------------
>
>                 Key: YARN-11382
>                 URL: https://issues.apache.org/jira/browse/YARN-11382
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: api, RM
>    Affects Versions: 3.3.4
>            Reporter: Beibei Zhao
>            Priority: Major
>              Labels: audit, log, pull-request-available
>
> *ClientRMService* forget to record some *audit logs* after *accessCheck* and 
> just throw an YarnException("User does not have privilege to do something……").
> Here is an example in method "getContainers":
> {code:java}
> @Override public GetContainersResponse getContainers(GetContainersRequest 
> request)           
>     throws YarnException, IOException { 
>     ...... 
>     boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
> ApplicationAccessType.VIEW_APP, application); 
>     GetContainersResponse response = null; 
>     if (allowAccess) { 
>         ...... 
>         // a logSuccess should be called here. 
>     } else { 
>         // a logFailure should be called here. 
>         throw new YarnException("User " + callerUGI.getShortUserName() + " 
> does not have privilege to see this application " + appId); 
>     } 
>     return response; 
> }{code}
> And other methods(e.g. signalToContainer) in this class logSuccess or 
> logFailure after {*}accessCheck{*}.
> I think the requests from users are very critical for auditing and audit logs 
> should  be recorded here.
>  
> Also, I found some *AuditConstants* in *RMAuditLogger* for these request 
> (except getApplicationReport), so I guess write audit log for them is in the 
> developer's planning but maybe forgotten.
> {code:java}
> public class RMAuditLogger {
>   ......
>     public static class AuditConstants {
>     ......
>     public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
>     public static final String GET_APP_ATTEMPT_REPORT
>         = "Get Application Attempt Report";
>     public static final String GET_CONTAINERS = "Get Containers";
>     public static final String GET_CONTAINER_REPORT = "Get Container Report";
>     ......{code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to