[jira] [Commented] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

Tue, 22 Nov 2022 07:27:09 -0800 


    [ 
https://issues.apache.org/jira/browse/YARN-11382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17637320#comment-17637320
 ] 

ASF GitHub Bot commented on YARN-11382:
---------------------------------------

slfan1989 commented on code in PR #5158:
URL: https://github.com/apache/hadoop/pull/5158#discussion_r1029477113


##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/yarn-error.log:
##########
@@ -0,0 +1,52 @@
+Arguments: 

Review Comment:
   This file is redundant, please delete it





> ClientRMService forget to record some audit logs after accessCheck
> ------------------------------------------------------------------
>
>                 Key: YARN-11382
>                 URL: https://issues.apache.org/jira/browse/YARN-11382
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: api, RM
>    Affects Versions: 3.3.4
>            Reporter: Beibei Zhao
>            Priority: Major
>              Labels: audit, log, pull-request-available
>
> *ClientRMService* forget to record some *audit logs* after *accessCheck* and 
> just throw an YarnException("User does not have privilege to do something……").
> Here is an example in method "getContainers":
> {code:java}
> @Override public GetContainersResponse getContainers(GetContainersRequest 
> request)           
>     throws YarnException, IOException { 
>     ...... 
>     boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
> ApplicationAccessType.VIEW_APP, application); 
>     GetContainersResponse response = null; 
>     if (allowAccess) { 
>         ...... 
>         // a logSuccess should be called here. 
>     } else { 
>         // a logFailure should be called here. 
>         throw new YarnException("User " + callerUGI.getShortUserName() + " 
> does not have privilege to see this application " + appId); 
>     } 
>     return response; 
> }{code}
> And other methods(e.g. signalToContainer) in this class logSuccess or 
> logFailure after {*}accessCheck{*}.
> I think the requests from users are very critical for auditing and audit logs 
> should  be recorded here.
>  
> Also, I found some *AuditConstants* in *RMAuditLogger* for these request 
> (except getApplicationReport), so I guess write audit log for them is in the 
> developer's planning but maybe forgotten.
> {code:java}
> public class RMAuditLogger {
>   ......
>     public static class AuditConstants {
>     ......
>     public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
>     public static final String GET_APP_ATTEMPT_REPORT
>         = "Get Application Attempt Report";
>     public static final String GET_CONTAINERS = "Get Containers";
>     public static final String GET_CONTAINER_REPORT = "Get Container Report";
>     ......{code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to