Details
Description
ClientRMService forget to record some audit logs after accessCheck and just throw an YarnException("User does not have privilege to do something……").
Here is an example in method "getContainers":
@Override public GetContainersResponse getContainers(GetContainersRequest request) throws YarnException, IOException { ...... boolean allowAccess = checkAccess(callerUGI, application.getUser(), ApplicationAccessType.VIEW_APP, application); GetContainersResponse response = null; if (allowAccess) { ...... // a logSuccess should be called here. } else { // a logFailure should be called here. throw new YarnException("User " + callerUGI.getShortUserName() + " does not have privilege to see this application " + appId); } return response; }
And other methods(e.g. signalToContainer) in this class logSuccess or logFailure after accessCheck.
I think the requests from users are very critical for auditing and audit logs should be recorded here.
Also, I found some AuditConstants in RMAuditLogger for these request (except getApplicationReport), so I guess write audit log for them is in the developer's planning but maybe forgotten.
public class RMAuditLogger { ...... public static class AuditConstants { ...... public static final String GET_APP_ATTEMPTS = "Get Application Attempts"; public static final String GET_APP_ATTEMPT_REPORT = "Get Application Attempt Report"; public static final String GET_CONTAINERS = "Get Containers"; public static final String GET_CONTAINER_REPORT = "Get Container Report"; ......