[jira] [Commented] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/YARN-11382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17638163#comment-17638163
 ] 

ASF GitHub Bot commented on YARN-11382:
---------------------------------------

hadoop-yetus commented on PR #5158:
URL: https://github.com/apache/hadoop/pull/5158#issuecomment-1326095774

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |:----:|----------:|--------:|:--------:|:-------:|
   | +0 :ok: |  reexec  |   0m 55s |  |  Docker mode activated.  |
   |||| _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  jsonlint  |   0m  0s |  |  jsonlint was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
   |||| _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 26s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  29m 30s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  26m 20s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |  23m  1s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  checkstyle  |   4m 26s |  |  trunk passed  |
   | +1 :green_heart: |  mvnsite  |  20m 31s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 33s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 33s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  spotbugs  |  36m  8s | 
[/branch-spotbugs-root-warnings.html](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/3/artifact/out/branch-spotbugs-root-warnings.html)
 |  root in trunk has 1 extant spotbugs warnings.  |
   | +1 :green_heart: |  shadedclient  |  59m 21s |  |  branch has no errors 
when building and testing our client artifacts.  |
   |||| _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 24s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  26m 37s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  25m 13s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |  25m 13s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  22m 20s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  javac  |  22m 20s |  |  the patch passed  |
   | -1 :x: |  blanks  |   0m  0s | 
[/blanks-eol.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/3/artifact/out/blanks-eol.txt)
 |  The patch has 11 line(s) that end in blanks. Use git apply --whitespace=fix 
<<patch_file>>. Refer https://git-scm.com/docs/git-apply  |
   | -0 :warning: |  checkstyle  |   4m 18s | 
[/results-checkstyle-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/3/artifact/out/results-checkstyle-root.txt)
 |  root: The patch generated 1 new + 28 unchanged - 0 fixed = 29 total (was 
28)  |
   | +1 :green_heart: |  mvnsite  |  20m  7s |  |  the patch passed  |
   | +1 :green_heart: |  javadoc  |   8m 34s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 43s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  spotbugs  |  44m 43s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  65m  3s |  |  patch has no errors 
when building and testing our client artifacts.  |
   |||| _ Other Tests _ |
   | -1 :x: |  unit  | 1096m 28s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/3/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | -1 :x: |  asflicense  |   2m  0s | 
[/results-asflicense.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/3/artifact/out/results-asflicense.txt)
 |  The patch generated 2 ASF License warnings.  |
   |  |   | 1487m  4s |  |  |
   
   
   | Reason | Tests |
   |-------:|:------|
   | Failed junit tests | hadoop.mapreduce.v2.hs.webapp.TestHsWebServices |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesTasks |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesAttempts |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesLogs |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesJobs |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesJobsQuery |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesJobConf |
   |   | hadoop.mapreduce.v2.app.webapp.TestAMWebServicesJobs |
   |   | hadoop.mapreduce.v2.app.webapp.TestAMWebServicesJobConf |
   |   | hadoop.mapreduce.v2.app.webapp.TestAMWebServicesAttempts |
   |   | hadoop.mapreduce.v2.app.webapp.TestAMWebServices |
   |   | hadoop.mapreduce.v2.app.TestRuntimeEstimators |
   |   | hadoop.mapreduce.v2.app.webapp.TestAMWebServicesTasks |
   |   | 
hadoop.yarn.server.resourcemanager.reservation.TestCapacityOverTimePolicy |
   |   | hadoop.hdfs.TestLeaseRecovery2 |
   |   | hadoop.hdfs.TestLeaseRecovery |
   |   | hadoop.hdfs.server.balancer.TestBalancerService |
   
   
   | Subsystem | Report/Notes |
   |----------:|:-------------|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/3/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5158 |
   | Optional Tests | dupname asflicense codespell detsecrets compile javac 
javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle jsonlint |
   | uname | Linux 66275f8a42f4 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | trunk / 97387470497ec5f848b85810af0516086dec6988 |
   | Default Java | Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04 
/usr/lib/jvm/java-8-openjdk-amd64:Private 
Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/3/testReport/ |
   | Max. process+thread count | 2563 (vs. ulimit of 5500) |
   | modules | C: 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager
 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp
 . U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/3/console |
   | versions | git=2.25.1 maven=3.6.3 spotbugs=4.2.2 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> ClientRMService forget to record some audit logs after accessCheck
> ------------------------------------------------------------------
>
>                 Key: YARN-11382
>                 URL: https://issues.apache.org/jira/browse/YARN-11382
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: api, RM
>    Affects Versions: 3.3.4
>            Reporter: Beibei Zhao
>            Priority: Major
>              Labels: audit, log, pull-request-available
>
> *ClientRMService* forget to record some *audit logs* after *accessCheck* and 
> just throw an YarnException("User does not have privilege to do something……").
> Here is an example in method "getContainers":
> {code:java}
> @Override public GetContainersResponse getContainers(GetContainersRequest 
> request)           
>     throws YarnException, IOException { 
>     ...... 
>     boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
> ApplicationAccessType.VIEW_APP, application); 
>     GetContainersResponse response = null; 
>     if (allowAccess) { 
>         ...... 
>         // a logSuccess should be called here. 
>     } else { 
>         // a logFailure should be called here. 
>         throw new YarnException("User " + callerUGI.getShortUserName() + " 
> does not have privilege to see this application " + appId); 
>     } 
>     return response; 
> }{code}
> And other methods(e.g. signalToContainer) in this class logSuccess or 
> logFailure after {*}accessCheck{*}.
> I think the requests from users are very critical for auditing and audit logs 
> should  be recorded here.
>  
> Also, I found some *AuditConstants* in *RMAuditLogger* for these request 
> (except getApplicationReport), so I guess write audit log for them is in the 
> developer's planning but maybe forgotten.
> {code:java}
> public class RMAuditLogger {
>   ......
>     public static class AuditConstants {
>     ......
>     public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
>     public static final String GET_APP_ATTEMPT_REPORT
>         = "Get Application Attempt Report";
>     public static final String GET_CONTAINERS = "Get Containers";
>     public static final String GET_CONTAINER_REPORT = "Get Container Report";
>     ......{code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org