[ https://issues.apache.org/jira/browse/YARN-11382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17653152#comment-17653152 ]
ASF GitHub Bot commented on YARN-11382: --------------------------------------- curie71 opened a new pull request, #5263: URL: https://github.com/apache/hadoop/pull/5263 YARN-11382 ClientRMService forget to record some audit logs after checkAccess and just throw an YarnException("User does not have privilege to do something……"). Here is an example in method "getContainers": ```java @Override public GetContainersResponse getContainers(GetContainersRequest request) throws YarnException, IOException { ...... boolean allowAccess = checkAccess(callerUGI, application.getUser(), ApplicationAccessType.VIEW_APP, application); GetContainersResponse response = null; if (allowAccess) { ...... // a logSuccess should be called here. } else { // a logFailure should be called here. throw new YarnException("User " + callerUGI.getShortUserName() + " does not have privilege to see this application " + appId); } return response; } ``` And other methods(e.g. signalToContainer) in this class logSuccess or logFailure after accessCheck. I think the requests from users are very critical for auditing and audit logs should be recorded here. Also, I found some AuditConstants in RMAuditLogger for these request (except getApplicationReport), so I guess write audit log for them is in the developer's planning but maybe forgotten. ```java public class RMAuditLogger { ...... public static class AuditConstants { ...... public static final String GET_APP_ATTEMPTS = "Get Application Attempts"; public static final String GET_APP_ATTEMPT_REPORT = "Get Application Attempt Report"; public static final String GET_CONTAINERS = "Get Containers"; public static final String GET_CONTAINER_REPORT = "Get Container Report"; ...... ``` <!-- Thanks for sending a pull request! 1. If this is your first time, please read our contributor guidelines: https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute 2. Make sure your PR title starts with JIRA issue id, e.g., 'HADOOP-17799. Your PR title ...'. --> ### Description of PR ### How was this patch tested? ### For code changes: - [ ] Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')? - [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, `NOTICE-binary` files? > ClientRMService forget to record some audit logs after accessCheck > ------------------------------------------------------------------ > > Key: YARN-11382 > URL: https://issues.apache.org/jira/browse/YARN-11382 > Project: Hadoop YARN > Issue Type: Bug > Components: api, RM > Affects Versions: 3.3.4 > Reporter: Beibei Zhao > Priority: Major > Labels: audit, log, pull-request-available > > *ClientRMService* forget to record some *audit logs* after *accessCheck* and > just throw an YarnException("User does not have privilege to do something……"). > Here is an example in method "getContainers": > {code:java} > @Override public GetContainersResponse getContainers(GetContainersRequest > request) > throws YarnException, IOException { > ...... > boolean allowAccess = checkAccess(callerUGI, application.getUser(), > ApplicationAccessType.VIEW_APP, application); > GetContainersResponse response = null; > if (allowAccess) { > ...... > // a logSuccess should be called here. > } else { > // a logFailure should be called here. > throw new YarnException("User " + callerUGI.getShortUserName() + " > does not have privilege to see this application " + appId); > } > return response; > }{code} > And other methods(e.g. signalToContainer) in this class logSuccess or > logFailure after {*}accessCheck{*}. > I think the requests from users are very critical for auditing and audit logs > should be recorded here. > > Also, I found some *AuditConstants* in *RMAuditLogger* for these request > (except getApplicationReport), so I guess write audit log for them is in the > developer's planning but maybe forgotten. > {code:java} > public class RMAuditLogger { > ...... > public static class AuditConstants { > ...... > public static final String GET_APP_ATTEMPTS = "Get Application Attempts"; > public static final String GET_APP_ATTEMPT_REPORT > = "Get Application Attempt Report"; > public static final String GET_CONTAINERS = "Get Containers"; > public static final String GET_CONTAINER_REPORT = "Get Container Report"; > ......{code} > > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org