[PR] [DRAFT] [SPARK-51095]. Include caller context for hdfs audit logs for calls from driver [spark]

Wed, 05 Feb 2025 09:00:13 -0800 


sririshindra opened a new pull request, #49814:
URL: https://github.com/apache/spark/pull/49814

   <!--
   Thanks for sending a pull request!  Here are some tips for you:
     1. If this is your first time, please read our contributor guidelines: 
https://spark.apache.org/contributing.html
     2. Ensure you have added or run the appropriate tests for your PR: 
https://spark.apache.org/developer-tools.html
     3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., 
'[WIP][SPARK-XXXX] Your PR title ...'.
     4. Be sure to keep the PR description updated to reflect all changes.
     5. Please write your PR title to summarize what this PR proposes.
     6. If possible, provide a concise example to reproduce the issue for a 
faster review.
     7. If you want to add a new configuration, please read the guideline first 
for naming configurations in
        
'core/src/main/scala/org/apache/spark/internal/config/ConfigEntry.scala'.
     8. If you want to add or modify an error type or message, please read the 
guideline first in
        'common/utils/src/main/resources/error/README.md'.
   -->
   
   ### What changes were proposed in this pull request?
   <!--
   Please clarify what changes you are proposing. The purpose of this section 
is to outline the changes and how this PR fixes the issue. 
   If possible, please consider writing useful notes for better and faster 
reviews in your PR. See the examples below.
     1. If you refactor some codes with changing classes, showing the class 
hierarchy will help reviewers.
     2. If you fix some SQL features, you can provide some references of other 
DBMSes.
     3. If there is design documentation, please add the link.
     4. If there is a discussion in the mailing list, please add the link.
   -->
   Add the caller context for calls from DRIVER to HDFS.
   
   ### Why are the changes needed?
   HDFS audit logs include the ability to add a "caller context".  Spark 
already leverages this to set the yarn application id, job id, task id, etc. 
but only on executors.  The caller context is left empty on the spark driver.  
With introductions of Iceberg we have seen multiple scenarios in which files in 
HDFS are accessed from the driver. But since the caller context is left empty 
our ability to forensically analyse any issues has diminished. This PR includes 
sets caller context from the driver as well. 
   
   <!--
   Please clarify why the changes are needed. For instance,
     1. If you propose a new API, clarify the use case for a new API.
     2. If you fix a bug, you can clarify why it is a bug.
   -->
   
   
   ### Does this PR introduce _any_ user-facing change?
   Yes, hdfs audit logs will now have caller context for calls from driver.
   
   <!--
   Note that it means *any* user-facing change including all aspects such as 
new features, bug fixes, or other behavior changes. Documentation-only updates 
are not considered user-facing changes.
   
   If yes, please clarify the previous behavior and the change this PR proposes 
- provide the console output, description and/or an example to show the 
behavior difference if possible.
   If possible, please also clarify if this is a user-facing change compared to 
the released Spark versions or within the unreleased branches such as master.
   If no, write 'No'.
   -->
   
   
   ### How was this patch tested?
   This patch was tested manually. After this change the hdfs audit logs now 
contain caller context from the driver.
   
   ```
   2025-02-04 21:45:12,488 INFO FSNamesystem.audit: allowed=true        
ugi=iceberg (auth:SIMPLE)       ip=/10.140.144.131      cmd=create      
src=/warehouse/tablespace/external/hive/mwies.db/berg/metadata/00534-a14ccf3e-e50c-4a69-84e3-262389720ae3.metadata.json
 dst=null        perm=iceberg:hive:rw-rw----     proto=rpc       
callerContext=SPARK_DRIVER__application_1738349944329_0054
   2025-02-04 21:45:12,578 INFO FSNamesystem.audit: allowed=true        
ugi=iceberg (auth:SIMPLE)       ip=/10.140.144.131      cmd=delete      
src=/warehouse/tablespace/external/hive/mwies.db/berg/metadata/00528-7ead607d-fa62-40e8-9508-f6a9c87d60e5.metadata.json
 dst=null        perm=null       proto=rpc       
callerContext=SPARK_DRIVER__application_1738349944329_0054
   2025-02-04 21:45:12,607 INFO FSNamesystem.audit: allowed=true        
ugi=iceberg (auth:SIMPLE)       ip=/10.140.144.131      cmd=open        
src=/warehouse/tablespace/external/hive/mwies.db/berg/metadata/00534-a14ccf3e-e50c-4a69-84e3-262389720ae3.metadata.json
 dst=null        perm=null       proto=rpc       
callerContext=SPARK_DRIVER__application_1738349944329_0054
   2025-02-04 21:45:12,636 INFO FSNamesystem.audit: allowed=true        
ugi=iceberg (auth:SIMPLE)       ip=/10.140.144.131      cmd=open        
src=/warehouse/tablespace/external/hive/mwies.db/berg/metadata/snap-4283759160550131345-1-4d208d89-e98a-4493-83a9-5421b46b3075.avro
     dst=null        perm=null       proto=rpc       
callerContext=SPARK_DRIVER__application_1738349944329_0054
   2025-02-04 21:45:12,639 INFO FSNamesystem.audit: allowed=true        
ugi=iceberg (auth:SIMPLE)       ip=/10.140.144.131      cmd=getfileinfo 
src=/warehouse/tablespace/external/hive/mwies.db/berg/metadata/snap-4283759160550131345-1-4d208d89-e98a-4493-83a9-5421b46b3075.avro
     dst=null        perm=null       proto=rpc       
callerContext=SPARK_DRIVER__application_1738349944329_0054
   ```
   
   <!--
   If tests were added, say they were added here. Please make sure to add some 
test cases that check the changes thoroughly including negative and positive 
cases if possible.
   If it was tested in a way different from regular unit tests, please clarify 
how you tested step by step, ideally copy and paste-able, so that other 
reviewers can test and check, and descendants can verify in the future.
   If tests were not added, please describe why they were not added and/or why 
it was difficult to add.
   If benchmark tests were added, please run the benchmarks in GitHub Actions 
for the consistent environment, and the instructions could accord to: 
https://spark.apache.org/developer-tools.html#github-workflow-benchmarks.
   -->
   
   
   ### Was this patch authored or co-authored using generative AI tooling?
   <!--
   If generative AI tooling has been used in the process of authoring this 
patch, please include the
   phrase: 'Generated-by: ' followed by the name of the tool and its version.
   If no, write 'No'.
   Please refer to the [ASF Generative Tooling 
Guidance](https://www.apache.org/legal/generative-tooling.html) for details.
   -->
   No


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

Reply via email to