[YARN-11392] ClientRMService implemented getCallerUgi and verifyUserAccessForRMApp methods but forget to use sometimes, caused audit log missing. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.4
Fix Version/s: 3.4.0, 3.2.5, 3.3.6
Component/s: yarn
Labels:
- audit
- log
- pull-request-available
- yarn

Target Version/s:

3.3.4
Language:
- Java

Description

ClientRMService implemented getCallerUgi and verifyUserAccessForRMApp methods.

private UserGroupInformation getCallerUgi(ApplicationId applicationId,
      String operation) throws YarnException {
    UserGroupInformation callerUGI;
    try {
      callerUGI = UserGroupInformation.getCurrentUser();
    } catch (IOException ie) {
      LOG.info("Error getting UGI ", ie);
      RMAuditLogger.logFailure("UNKNOWN", operation, "UNKNOWN",
          "ClientRMService", "Error getting UGI", applicationId);
      throw RPCUtil.getRemoteException(ie);
    }
    return callerUGI;
  }

Privileged operations like "getContainerReport" (which called checkAccess before op) will call them and record audit logs when an exception happens, but forget to use sometimes, caused audit log missing:

// getApplicationReport
    UserGroupInformation callerUGI;
    try {
      callerUGI = UserGroupInformation.getCurrentUser();
    } catch (IOException ie) {
      LOG.info("Error getting UGI ", ie);
     // a logFailure should be called here. 
     throw RPCUtil.getRemoteException(ie);
    }

So, I will replace some code blocks like this with getCallerUgi or verifyUserAccessForRMApp.

Attachments

Issue Links

links to

GitHub Pull Request #5250

Activity

People

Assignee:: Beibei Zhao

Reporter:: Beibei Zhao

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 08/Dec/22 10:34

Updated:: 08/Jun/23 20:27

Resolved:: 28/Dec/22 00:22