[ https://issues.apache.org/jira/browse/YARN-11392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Nauroth reassigned YARN-11392: ------------------------------------ Assignee: Beibei Zhao > ClientRMService implemented getCallerUgi and verifyUserAccessForRMApp methods > but forget to use sometimes, caused audit log missing. > ------------------------------------------------------------------------------------------------------------------------------------ > > Key: YARN-11392 > URL: https://issues.apache.org/jira/browse/YARN-11392 > Project: Hadoop YARN > Issue Type: Bug > Components: yarn > Affects Versions: 3.3.4 > Reporter: Beibei Zhao > Assignee: Beibei Zhao > Priority: Major > Labels: audit, log, pull-request-available, yarn > > ClientRMService implemented getCallerUgi and verifyUserAccessForRMApp methods. > {code:java} > private UserGroupInformation getCallerUgi(ApplicationId applicationId, > String operation) throws YarnException { > UserGroupInformation callerUGI; > try { > callerUGI = UserGroupInformation.getCurrentUser(); > } catch (IOException ie) { > LOG.info("Error getting UGI ", ie); > RMAuditLogger.logFailure("UNKNOWN", operation, "UNKNOWN", > "ClientRMService", "Error getting UGI", applicationId); > throw RPCUtil.getRemoteException(ie); > } > return callerUGI; > } > {code} > *Privileged operations* like "getContainerReport" (which called checkAccess > before op) will call them and *record audit logs* when an *exception* > happens, but forget to use sometimes, caused audit log {*}missing{*}: > {code:java} > // getApplicationReport > UserGroupInformation callerUGI; > try { > callerUGI = UserGroupInformation.getCurrentUser(); > } catch (IOException ie) { > LOG.info("Error getting UGI ", ie); > // a logFailure should be called here. > throw RPCUtil.getRemoteException(ie); > } > {code} > So, I will replace some code blocks like this with getCallerUgi or > verifyUserAccessForRMApp. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org