You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-dev@hadoop.apache.org by "Beibei Zhao (Jira)" <ji...@apache.org> on 2022/11/22 13:26:00 UTC

[jira] [Created] (YARN-11382) ClientRMService forget to record some audit logs after accessCheck

Beibei Zhao created YARN-11382:
----------------------------------

             Summary: ClientRMService forget to record some audit logs after accessCheck
                 Key: YARN-11382
                 URL: https://issues.apache.org/jira/browse/YARN-11382
             Project: Hadoop YARN
          Issue Type: Bug
          Components: api, RM
    Affects Versions: 3.3.4
            Reporter: Beibei Zhao


ClientRMService forget to record some audit logs after accessCheck and just throw an YarnException("User does not have privilege to do something……").

Here is an example in method "getContainers":
{code:java}
@Override public GetContainersResponse getContainers(GetContainersRequest request)           
    throws YarnException, IOException { 
    ...... 
    boolean allowAccess = checkAccess(callerUGI, application.getUser(),  ApplicationAccessType.VIEW_APP, application); 
    GetContainersResponse response = null; 
    if (allowAccess) { 
        ...... 
        // a logSuccess should be called here. 
    } else { 
        // a logFailure should be called here. 
        throw new YarnException("User " + callerUGI.getShortUserName() + " does not have privilege to see this application " + appId); 
    } 
    return response; 
}{code}
And other methods(e.g. signalToContainer) in this class logSuccess or logFailure after accessCheck.

I think the requests from users are very critical for auditing and audit logs should  be recorded here.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org