Details
Major Description
ClientRMService forget to record some audit logs after accessCheck and just throw an YarnException("User does not have privilege to do something……").
Here is an example in method "getContainers":
@Override public GetContainersResponse getContainers(GetContainersRequest request) throws YarnException, IOException { ...... boolean allowAccess = checkAccess(callerUGI, application.getUser(), ApplicationAccessType.VIEW_APP, application); GetContainersResponse response = null; if (allowAccess) { ...... // a logSuccess should be called here. } else { // a logFailure should be called here. throw new YarnException("User " + callerUGI.getShortUserName() + " does not have privilege to see this application " + appId); } return response; }
And other methods(e.g. signalToContainer) in this class logSuccess or logFailure after accessCheck.
I think the requests from users are very critical for auditing and audit logs should be recorded here.
Also, I found some AuditConstants in RMAuditLogger for these request (except getApplicationReport), so I guess write audit log for them is in the developer's planning but maybe forgotten.
public class RMAuditLogger { ...... public static class AuditConstants { ...... public static final String GET_APP_ATTEMPTS = "Get Application Attempts"; public static final String GET_APP_ATTEMPT_REPORT = "Get Application Attempt Report"; public static final String GET_CONTAINERS = "Get Containers"; public static final String GET_CONTAINER_REPORT = "Get Container Report"; ......