Skip to content

YARN-11382 ClientRMService forget to record some audit logs after checkAccess. #5263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

YARN-11382 ClientRMService forget to record some audit logs after checkAccess. #5263

wants to merge 1 commit into from

Conversation

@curie71
Copy link
Contributor

@curie71 curie71 commented Dec 30, 2022
edited
Loading

YARN-11382 ClientRMService forget to record some audit logs after checkAccess and just throw an YarnException("User does not have privilege to do something……").
Here is an example in method "getContainers":

@Override public GetContainersResponse getContainers(GetContainersRequest request)           
    throws YarnException, IOException { 
    ...... 
    boolean allowAccess = checkAccess(callerUGI, application.getUser(),  ApplicationAccessType.VIEW_APP, application); 
    GetContainersResponse response = null; 
    if (allowAccess) { 
        ...... 
        // a logSuccess should be called here. 
    } else { 
        // a logFailure should be called here. 
        throw new YarnException("User " + callerUGI.getShortUserName() + " does not have privilege to see this application " + appId); 
    } 
    return response; 
}

And other methods(e.g. signalToContainer) in this class logSuccess or logFailure after accessCheck.
I think the requests from users are very critical for auditing and audit logs should  be recorded here.

Also, I found some AuditConstants in RMAuditLogger for these request (except getApplicationReport), so I guess write audit log for them is in the developer's planning but maybe forgotten.

public class RMAuditLogger {
  ......
    public static class AuditConstants {
    ......
    public static final String GET_APP_ATTEMPTS = "Get Application Attempts";
    public static final String GET_APP_ATTEMPT_REPORT
        = "Get Application Attempt Report";
    public static final String GET_CONTAINERS = "Get Containers";
    public static final String GET_CONTAINER_REPORT = "Get Container Report";
    ......

Description of PR

How was this patch tested?

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

@curie71
Copy link
Contributor Author

curie71 commented Dec 30, 2022
edited
Loading

I' m so Sorry for making a mess of #5158 .
I commit the same code again. I' m really sorry for that, could you please review the code again, thanks a lot!!!
@slfan1989

@hadoop-yetus
Copy link

hadoop-yetus commented Dec 30, 2022

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 58s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 0s codespell was not available.
+0 🆗 detsecrets 0m 0s detect-secrets was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 38m 59s trunk passed
+1 💚 compile 1m 4s trunk passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 💚 compile 1m 0s trunk passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
+1 💚 checkstyle 0m 55s trunk passed
+1 💚 mvnsite 1m 4s trunk passed
-1 ❌ javadoc 0m 59s /branch-javadoc-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt hadoop-yarn-server-resourcemanager in trunk failed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.
+1 💚 javadoc 0m 48s trunk passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
+1 💚 spotbugs 2m 8s trunk passed
+1 💚 shadedclient 21m 31s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 53s the patch passed
+1 💚 compile 0m 57s the patch passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 💚 javac 0m 57s the patch passed
+1 💚 compile 0m 51s the patch passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
+1 💚 javac 0m 51s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 0m 39s the patch passed
+1 💚 mvnsite 0m 54s the patch passed
-1 ❌ javadoc 0m 40s /patch-javadoc-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager-jdkUbuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.txt hadoop-yarn-server-resourcemanager in the patch failed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04.
+1 💚 javadoc 0m 36s the patch passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
+1 💚 spotbugs 1m 55s the patch passed
+1 💚 shadedclient 20m 51s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 102m 20s hadoop-yarn-server-resourcemanager in the patch passed.
+1 💚 asflicense 0m 38s The patch does not generate ASF License warnings.
200m 12s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5263/1/artifact/out/Dockerfile
GITHUB PR #5263
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname Linux 1b4912529860 4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 18:16:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 645b02a
Default Java Private Build-1.8.0_352-8u352-ga-1~20.04-b08
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_352-8u352-ga-1~20.04-b08
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5263/1/testReport/
Max. process+thread count 940 (vs. ulimit of 5500)
modules C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5263/1/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 28, 2025

We're closing this stale PR because it has been open for 100 days with no activity. This isn't a judgement on the merit of the PR in any way. It's just a way of keeping the PR queue manageable.
If you feel like this was a mistake, or you would like to continue working on it, please feel free to re-open it and ask for a committer to remove the stale tag and review again.
Thanks all for your contribution.

@github-actions github-actions bot added the Stale label Oct 28, 2025
@github-actions github-actions bot closed this Oct 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@curie71 @hadoop-yetus