[jira] [Commented] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/YARN-11382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17647984#comment-17647984
 ] 

ASF GitHub Bot commented on YARN-11382:
---------------------------------------

hadoop-yetus commented on PR #5158:
URL: https://github.com/apache/hadoop/pull/5158#issuecomment-1352842419

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |:----:|----------:|--------:|:--------:|:-------:|
   | +0 :ok: |  reexec  |   0m 58s |  |  Docker mode activated.  |
   |||| _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  jsonlint  |   0m  1s |  |  jsonlint was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
   |||| _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 49s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  27m 34s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  25m  8s |  |  trunk passed with JDK 
Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04  |
   | +1 :green_heart: |  compile  |  20m 32s |  |  trunk passed with JDK 
Private Build-1.8.0_352-8u352-ga-1~20.04-b08  |
   | +1 :green_heart: |  checkstyle  |   3m 48s |  |  trunk passed  |
   | +1 :green_heart: |  mvnsite  |  19m  3s |  |  trunk passed  |
   | -1 :x: |  javadoc  |   1m 22s | 
[/branch-javadoc-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/artifact/out/branch-javadoc-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt)
 |  root in trunk failed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.  |
   | +1 :green_heart: |  javadoc  |   7m 26s |  |  trunk passed with JDK 
Private Build-1.8.0_352-8u352-ga-1~20.04-b08  |
   | -1 :x: |  spotbugs  |  34m 28s | 
[/branch-spotbugs-root-warnings.html](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/artifact/out/branch-spotbugs-root-warnings.html)
 |  root in trunk has 1 extant spotbugs warnings.  |
   | +1 :green_heart: |  shadedclient  |  53m 45s |  |  branch has no errors 
when building and testing our client artifacts.  |
   |||| _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 30s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  23m 17s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  22m 33s |  |  the patch passed with JDK 
Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04  |
   | +1 :green_heart: |  javac  |  22m 33s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  20m 27s |  |  the patch passed with JDK 
Private Build-1.8.0_352-8u352-ga-1~20.04-b08  |
   | +1 :green_heart: |  javac  |  20m 27s |  |  the patch passed  |
   | -1 :x: |  blanks  |   0m  0s | 
[/blanks-eol.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/artifact/out/blanks-eol.txt)
 |  The patch has 11 line(s) that end in blanks. Use git apply --whitespace=fix 
<<patch_file>>. Refer https://git-scm.com/docs/git-apply  |
   | +1 :green_heart: |  checkstyle  |   3m 40s |  |  the patch passed  |
   | +1 :green_heart: |  mvnsite  |  18m 36s |  |  the patch passed  |
   | -1 :x: |  javadoc  |   1m 13s | 
[/patch-javadoc-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/artifact/out/patch-javadoc-root-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt)
 |  root in the patch failed with JDK 
Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.  |
   | +1 :green_heart: |  javadoc  |   7m 19s |  |  the patch passed with JDK 
Private Build-1.8.0_352-8u352-ga-1~20.04-b08  |
   | +1 :green_heart: |  spotbugs  |  36m 32s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  52m 41s |  |  patch has no errors 
when building and testing our client artifacts.  |
   |||| _ Other Tests _ |
   | -1 :x: |  unit  | 834m 31s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | -1 :x: |  asflicense  |   1m 31s | 
[/results-asflicense.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/artifact/out/results-asflicense.txt)
 |  The patch generated 2 ASF License warnings.  |
   |  |   | 1173m 16s |  |  |
   
   
   | Reason | Tests |
   |-------:|:------|
   | Failed junit tests | hadoop.hdfs.TestLeaseRecovery2 |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesJobConf |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesTasks |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesJobs |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServices |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesAttempts |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesLogs |
   |   | hadoop.mapreduce.v2.hs.webapp.TestHsWebServicesJobsQuery |
   
   
   | Subsystem | Report/Notes |
   |----------:|:-------------|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5158 |
   | Optional Tests | dupname asflicense codespell detsecrets compile javac 
javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle jsonlint |
   | uname | Linux d2b1d2a6c92b 4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 
18:16:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | trunk / c5eebdae9e96d968cab8dd74155b969e780ebae1 |
   | Default Java | Private Build-1.8.0_352-8u352-ga-1~20.04-b08 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04 
/usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_352-8u352-ga-1~20.04-b08 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/testReport/ |
   | Max. process+thread count | 3732 (vs. ulimit of 5500) |
   | modules | C: 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager
 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp
 . U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5158/5/console |
   | versions | git=2.25.1 maven=3.6.3 spotbugs=4.2.2 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> ClientRMService forget to record some audit logs after accessCheck
> ------------------------------------------------------------------
>
>                 Key: YARN-11382
>                 URL: https://issues.apache.org/jira/browse/YARN-11382
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: api, RM
>    Affects Versions: 3.3.4
>            Reporter: Beibei Zhao
>            Priority: Major
>              Labels: audit, log, pull-request-available
>
> *ClientRMService* forget to record some *audit logs* after *accessCheck* and 
> just throw an YarnException("User does not have privilege to do something……").
> Here is an example in method "getContainers":
> {code:java}
> @Override public GetContainersResponse getContainers(GetContainersRequest 
> request)           
>     throws YarnException, IOException { 
>     ...... 
>     boolean allowAccess = checkAccess(callerUGI, application.getUser(),  
> ApplicationAccessType.VIEW_APP, application); 
>     GetContainersResponse response = null; 
>     if (allowAccess) { 
>         ...... 
>         // a logSuccess should be called here. 
>     } else { 
>         // a logFailure should be called here. 
>         throw new YarnException("User " + callerUGI.getShortUserName() + " 
> does not have privilege to see this application " + appId); 
>     } 
>     return response; 
> }{code}
> And other methods(e.g. signalToContainer) in this class logSuccess or 
> logFailure after {*}accessCheck{*}.
> I think the requests from users are very critical for auditing and audit logs 
> should  be recorded here.
>  
> Also, I found some *AuditConstants* in *RMAuditLogger* for these request 
> (except getApplicationReport), so I guess write audit log for them is in the 
> developer's planning but maybe forgotten.
> {code:java}
> public class RMAuditLogger {
>   ......
>     public static class AuditConstants {
>     ......
>     public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
>     public static final String GET_APP_ATTEMPT_REPORT
>         = "Get Application Attempt Report";
>     public static final String GET_CONTAINERS = "Get Containers";
>     public static final String GET_CONTAINER_REPORT = "Get Container Report";
>     ......{code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org