[jira] [Updated] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

Beibei Zhao (Jira) Tue, 22 Nov 2022 06:46:04 -0800


     [ 
https://issues.apache.org/jira/browse/YARN-11382?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Beibei Zhao updated YARN-11382:
-------------------------------
    Description: 
*ClientRMService* forget to record some *audit logs* after *accessCheck* and 
just throw an YarnException("User does not have privilege to do something……").

Here is an example in method "getContainers":
{code:java}
@Override public GetContainersResponse getContainers(GetContainersRequest 
request)           
    throws YarnException, IOException { 
    ...... 
    boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
ApplicationAccessType.VIEW_APP, application); 
    GetContainersResponse response = null; 
    if (allowAccess) { 
        ...... 
        // a logSuccess should be called here. 
    } else { 
        // a logFailure should be called here. 
        throw new YarnException("User " + callerUGI.getShortUserName() + " does 
not have privilege to see this application " + appId); 
    } 
    return response; 
}{code}
And other methods(e.g. signalToContainer) in this class logSuccess or 
logFailure after {*}accessCheck{*}.

I think the requests from users are very critical for auditing and audit logs 
should  be recorded here.

 

Also, I found some *AuditConstants* in *RMAuditLogger* for these request 
(except getApplicationReport), so I guess write audit log for them is in the 
developer's planning but maybe forgotten.
{code:java}
public class RMAuditLogger {
  ......
    public static class AuditConstants {
    ......
    public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
    public static final String GET_APP_ATTEMPT_REPORT
        = "Get Application Attempt Report";
    public static final String GET_CONTAINERS = "Get Containers";
    public static final String GET_CONTAINER_REPORT = "Get Container Report";
    ......{code}
 

 

  was:
ClientRMService forget to record some audit logs after accessCheck and just 
throw an YarnException("User does not have privilege to do something……").

Here is an example in method "getContainers":
{code:java}
@Override public GetContainersResponse getContainers(GetContainersRequest 
request)           
    throws YarnException, IOException { 
    ...... 
    boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
ApplicationAccessType.VIEW_APP, application); 
    GetContainersResponse response = null; 
    if (allowAccess) { 
        ...... 
        // a logSuccess should be called here. 
    } else { 
        // a logFailure should be called here. 
        throw new YarnException("User " + callerUGI.getShortUserName() + " does 
not have privilege to see this application " + appId); 
    } 
    return response; 
}{code}
And other methods(e.g. signalToContainer) in this class logSuccess or 
logFailure after accessCheck.

I think the requests from users are very critical for auditing and audit logs 
should  be recorded here.


> ClientRMService forget to record some audit logs after accessCheck
> ------------------------------------------------------------------
>
>                 Key: YARN-11382
>                 URL: https://issues.apache.org/jira/browse/YARN-11382
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: api, RM
>    Affects Versions: 3.3.4
>            Reporter: Beibei Zhao
>            Priority: Major
>              Labels: audit, log
>
> *ClientRMService* forget to record some *audit logs* after *accessCheck* and 
> just throw an YarnException("User does not have privilege to do something……").
> Here is an example in method "getContainers":
> {code:java}
> @Override public GetContainersResponse getContainers(GetContainersRequest 
> request)           
>     throws YarnException, IOException { 
>     ...... 
>     boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
> ApplicationAccessType.VIEW_APP, application); 
>     GetContainersResponse response = null; 
>     if (allowAccess) { 
>         ...... 
>         // a logSuccess should be called here. 
>     } else { 
>         // a logFailure should be called here. 
>         throw new YarnException("User " + callerUGI.getShortUserName() + " 
> does not have privilege to see this application " + appId); 
>     } 
>     return response; 
> }{code}
> And other methods(e.g. signalToContainer) in this class logSuccess or 
> logFailure after {*}accessCheck{*}.
> I think the requests from users are very critical for auditing and audit logs 
> should  be recorded here.
>  
> Also, I found some *AuditConstants* in *RMAuditLogger* for these request 
> (except getApplicationReport), so I guess write audit log for them is in the 
> developer's planning but maybe forgotten.
> {code:java}
> public class RMAuditLogger {
>   ......
>     public static class AuditConstants {
>     ......
>     public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
>     public static final String GET_APP_ATTEMPT_REPORT
>         = "Get Application Attempt Report";
>     public static final String GET_CONTAINERS = "Get Containers";
>     public static final String GET_CONTAINER_REPORT = "Get Container Report";
>     ......{code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

Reply via email to