Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-11382

ClientRMService forget to record some audit logs after accessCheck

Add voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Patch, Important

    Description

      ClientRMService forget to record some audit logs after accessCheck and just throw an YarnException("User does not have privilege to do something……").

      Here is an example in method "getContainers":

      @Override public GetContainersResponse getContainers(GetContainersRequest request)           
          throws YarnException, IOException { 
          ...... 
          boolean allowAccess = checkAccess(callerUGI, application.getUser(),  ApplicationAccessType.VIEW_APP, application); 
          GetContainersResponse response = null; 
          if (allowAccess) { 
              ...... 
              // a logSuccess should be called here. 
          } else { 
              // a logFailure should be called here. 
              throw new YarnException("User " + callerUGI.getShortUserName() + " does not have privilege to see this application " + appId); 
          } 
          return response; 
      }

      And other methods(e.g. signalToContainer) in this class logSuccess or logFailure after accessCheck.

      I think the requests from users are very critical for auditing and audit logs should  be recorded here.

       

      Also, I found some AuditConstants in RMAuditLogger for these request (except getApplicationReport), so I guess write audit log for them is in the developer's planning but maybe forgotten.

      public class RMAuditLogger {
        ......
          public static class AuditConstants {
          ......
          public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
          public static final String GET_APP_ATTEMPT_REPORT
              = "Get Application Attempt Report";
          public static final String GET_CONTAINERS = "Get Containers";
          public static final String GET_CONTAINER_REPORT = "Get Container Report";
          ......

       

       

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            chino71 Beibei Zhao

            Dates

              Created:
              Updated:

              Slack

                Issue deployment