[YARN-11392] ClientRMService implemented getCallerUgi and verifyUserAccessForRMApp methods but forget to use sometimes, caused audit log missing. - ASF JIRA

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.4
Fix Version/s: 3.4.0, 3.2.5, 3.3.6
Component/s: yarn
Labels:
- audit
- log
- pull-request-available
- yarn

Target Version/s:

3.3.4
Language:
- Java

Description

ClientRMService implemented getCallerUgi and verifyUserAccessForRMApp methods.

private UserGroupInformation getCallerUgi(ApplicationId applicationId,
      String operation) throws YarnException {
    UserGroupInformation callerUGI;
    try {
      callerUGI = UserGroupInformation.getCurrentUser();
    } catch (IOException ie) {
      LOG.info("Error getting UGI ", ie);
      RMAuditLogger.logFailure("UNKNOWN", operation, "UNKNOWN",
          "ClientRMService", "Error getting UGI", applicationId);
      throw RPCUtil.getRemoteException(ie);
    }
    return callerUGI;
  }

Privileged operations like "getContainerReport" (which called checkAccess before op) will call them and record audit logs when an exception happens, but forget to use sometimes, caused audit log missing:

// getApplicationReport
    UserGroupInformation callerUGI;
    try {
      callerUGI = UserGroupInformation.getCurrentUser();
    } catch (IOException ie) {
      LOG.info("Error getting UGI ", ie);
     // a logFailure should be called here. 
     throw RPCUtil.getRemoteException(ie);
    }

So, I will replace some code blocks like this with getCallerUgi or verifyUserAccessForRMApp.