You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Beibei Zhao (Jira)" <ji...@apache.org> on 2022/11/22 13:26:00 UTC
[jira] [Created] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck
Beibei Zhao created YARN-11382:
----------------------------------
Summary: ClientRMService forget to record some audit logs after accessCheck
Key: YARN-11382
URL: https://issues.apache.org/jira/browse/YARN-11382
Project: Hadoop YARN
Issue Type: Bug
Components: api, RM
Affects Versions: 3.3.4
Reporter: Beibei Zhao
ClientRMService forget to record some audit logs after accessCheck and just throw an YarnException("User does not have privilege to do something……").
Here is an example in method "getContainers":
{code:java}
@Override public GetContainersResponse getContainers(GetContainersRequest request)
throws YarnException, IOException {
......
boolean allowAccess = checkAccess(callerUGI, application.getUser(), ApplicationAccessType.VIEW_APP, application);
GetContainersResponse response = null;
if (allowAccess) {
......
// a logSuccess should be called here.
} else {
// a logFailure should be called here.
throw new YarnException("User " + callerUGI.getShortUserName() + " does not have privilege to see this application " + appId);
}
return response;
}{code}
And other methods(e.g. signalToContainer) in this class logSuccess or logFailure after accessCheck.
I think the requests from users are very critical for auditing and audit logs should be recorded here.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org