Return-Path: X-Original-To: apmail-falcon-dev-archive@minotaur.apache.org Delivered-To: apmail-falcon-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 50A31172BD for ; Fri, 10 Oct 2014 20:33:01 +0000 (UTC) Received: (qmail 49116 invoked by uid 500); 10 Oct 2014 20:33:01 -0000 Delivered-To: apmail-falcon-dev-archive@falcon.apache.org Received: (qmail 49078 invoked by uid 500); 10 Oct 2014 20:33:01 -0000 Mailing-List: contact dev-help@falcon.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@falcon.incubator.apache.org Delivered-To: mailing list dev@falcon.incubator.apache.org Received: (qmail 49067 invoked by uid 99); 10 Oct 2014 20:33:01 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Oct 2014 20:33:01 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD,WEIRD_PORT X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 10 Oct 2014 20:32:36 +0000 Received: (qmail 47232 invoked by uid 99); 10 Oct 2014 20:32:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Oct 2014 20:32:34 +0000 Date: Fri, 10 Oct 2014 20:32:34 +0000 (UTC) From: "Balu Vellanki (JIRA)" To: dev@falcon.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (FALCON-799) Users cannot make web REST api calls on server with umask 077 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org Balu Vellanki created FALCON-799: ------------------------------------ Summary: Users cannot make web REST api calls on server with u= mask 077 Key: FALCON-799 URL: https://issues.apache.org/jira/browse/FALCON-799 Project: Falcon Issue Type: Bug Components: webapp Affects Versions: 0.6 Reporter: Balu Vellanki Fix For: 0.6 After applying patch for FALCON-753, I attempted to fetch list of instances= for a process owned by "hrt_qa" using Falcon UI. http://172.18.145.72:15443/api/instance/status/process/rawEmailIngestProces= s?start=3D2014-10-06T00:00Z&end=3D2014-10-11T20:35Z This fails with the following error {code} FAILED org.apache.falcon.FalconException: org.apache.hadoop.security.AccessControl= Exception: Permission denied: user=3Dfalcon-dashboard, access=3DEXECUTE, in= ode=3D"/apps/falcon/primaryCluster/staging/falcon":hrt_qa:users:drwx------ = at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkFsPermis= sion(FSPermissionChecker.java:271) at org.apache.hadoop.hdfs.server.namenod= e.FSPermissionChecker.check(FSPermissionChecker.java:257) at org.apache.had= oop.hdfs.server.namenode.FSPermissionChecker.checkTraverse(FSPermissionChec= ker.java:208) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker= .checkPermission(FSPermissionChecker.java:171) at org.apache.hadoop.hdfs.se= rver.namenode.FSNamesystem.checkPermission(FSNamesystem.java:6423) at org.a= pache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem= .java:6405) at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPat= hAccess(FSNamesystem.java:6330) at org.apache.hadoop.hdfs.server.namenode.F= SNamesystem.getListingInt(FSNamesystem.java:4867) at org.apache.hadoop.hdfs= .server.namenode.FSNamesystem.getListing(FSNamesystem.java:4828) at org.apa= che.hadoop.hdfs.server.namenode.NameNodeRpcServer.getListing(NameNodeRpcSer= ver.java:811) at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolSe= rverSideTranslatorPB.getListing(ClientNamenodeProtocolServerSideTranslatorP= B.java:611) at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocol= Protos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolPr= otos.java) at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInv= oker.call(ProtobufRpcEngine.java:619) at org.apache.hadoop.ipc.RPC$Server.c= all(RPC.java:962) at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java= :2039) at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2035) at j= ava.security.AccessController.doPrivileged(Native Method) at javax.security= .auth.Subject.doAs(Subject.java:396) at org.apache.hadoop.security.UserGrou= pInformation.doAs(UserGroupInformation.java:1614) at org.apache.hadoop.ipc.= Server$Handler.run(Server.java:2033) at org.apache.falcon.entity.EntityUtil= .getAllStagingPaths(EntityUtil.java:555) at org.apache.falcon.workflow.engi= ne.OozieWorkflowEngine.findBundles(OozieWorkflowEngine.java:269) at org.apa= che.falcon.workflow.engine.OozieWorkflowEngine.findBundles(OozieWorkflowEng= ine.java:304) at org.apache.falcon.workflow.engine.OozieWorkflowEngine.getC= oordActions(OozieWorkflowEngine.java:843) at org.apache.falcon.workflow.eng= ine.OozieWorkflowEngine.doJobAction(OozieWorkflowEngine.java:549) at org.ap= ache.falcon.workflow.engine.OozieWorkflowEngine.getStatus(OozieWorkflowEngi= ne.java:519) at org.apache.falcon.resource.AbstractInstanceManager.getStatu= s(AbstractInstanceManager.java:129) at org.apache.falcon.resource.InstanceM= anager.getStatus(InstanceManager.java:99) at sun.reflect.NativeMethodAccess= orImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invok= e(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessor= Impl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Meth= od.invoke(Method.java:597) at org.apache.falcon.resource.channel.IPCChannel= .invoke(IPCChannel.java:49) at org.apache.falcon.resource.proxy.InstanceMan= agerProxy$3.doExecute(InstanceManagerProxy.java:151) at org.apache.falcon.r= esource.proxy.InstanceManagerProxy$InstanceProxy.execute(InstanceManagerPro= xy.java:332) at org.apache.falcon.resource.proxy.InstanceManagerProxy.getSt= atus_aroundBody4(InstanceManagerProxy.java:155) at org.apache.falcon.resour= ce.proxy.InstanceManagerProxy$AjcClosure5.run(InstanceManagerProxy.java:1) = at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149= ) at org.apache.falcon.aspect.AbstractFalconAspect.logAroundMonitored(Abstr= actFalconAspect.java:51) at org.apache.falcon.resource.proxy.InstanceManage= rProxy.getStatus(InstanceManagerProxy.java:136) at sun.reflect.NativeMethod= AccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl= .invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAc= cessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflec= t.Method.invoke(Method.java:597) at com.sun.jersey.spi.container.JavaMethod= InvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) at com.sun.jersey= .server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$T= ypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) at= com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatc= her.dispatch(ResourceJavaMethodDispatcher.java:75) at com.sun.jersey.server= .impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:288) at com.sun.j= ersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java= :147) at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(Reso= urceClassRule.java:108) at com.sun.jersey.server.impl.uri.rules.RightHandPa= thRule.accept(RightHandPathRule.java:147) at com.sun.jersey.server.impl.uri= .rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) at c= om.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(Web= ApplicationImpl.java:1469) at com.sun.jersey.server.impl.application.WebApp= licationImpl._handleRequest(WebApplicationImpl.java:1400) at com.sun.jersey= .server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImp= l.java:1349) at com.sun.jersey.server.impl.application.WebApplicationImpl.h= andleRequest(WebApplicationImpl.java:1339) at com.sun.jersey.spi.container.= servlet.WebComponent.service(WebComponent.java:416) at com.sun.jersey.spi.c= ontainer.servlet.ServletContainer.service(ServletContainer.java:537) at com= .sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer= .java:699) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) = at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511) a= t org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHand= ler.java:1221) at org.apache.falcon.security.FalconAuthorizationFilter.doFi= lter(FalconAuthorizationFilter.java:73) at org.mortbay.jetty.servlet.Servle= tHandler$CachedChain.doFilter(ServletHandler.java:1212) at org.apache.falco= n.security.FalconAuthenticationFilter$2.doFilter(FalconAuthenticationFilter= .java:187) at org.apache.hadoop.security.authentication.server.Authenticati= onFilter.doFilter(AuthenticationFilter.java:572) at org.apache.hadoop.secur= ity.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilte= r.java:542) at org.apache.falcon.security.FalconAuthenticationFilter.doFilt= er(FalconAuthenticationFilter.java:197) at org.mortbay.jetty.servlet.Servle= tHandler$CachedChain.doFilter(ServletHandler.java:1212) at org.apache.falco= n.security.FalconAuditFilter.doFilter(FalconAuditFilter.java:56) at org.mor= tbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:= 1212) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.jav= a:399) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler= .java:216) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandle= r.java:182) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandl= er.java:766) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext= .java:450) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrappe= r.java:152) at org.mortbay.jetty.Server.handle(Server.java:326) at org.mort= bay.jetty.HttpConnection.handleRequest(HttpConnection.java:542) at org.mort= bay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:= 928) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549) at org.= mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212) at org.mortbay= .jetty.HttpConnection.handle(HttpConnection.java:404) at org.mortbay.jetty.= bio.SocketConnector$Connection.run(SocketConnector.java:228) at org.mortbay= .thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) Caused b= y: org.apache.hadoop.security.AccessControlException: Permission denied: us= er=3Dfalcon-dashboard, access=3DEXECUTE, inode=3D"/apps/falcon/primaryClust= er/staging/falcon":hrt_qa:users:drwx------ at org.apache.hadoop.hdfs.server= .namenode.FSPermissionChecker.checkFsPermission(FSPermissionChecker.java:27= 1) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPe= rmissionChecker.java:257) at org.apache.hadoop.hdfs.server.namenode.FSPermi= ssionChecker.checkTraverse(FSPermissionChecker.java:208) at org.apache.hado= op.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChe= cker.java:171) at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.check= Permission(FSNamesystem.java:6423) at org.apache.hadoop.hdfs.server.namenod= e.FSNamesystem.checkPermission(FSNamesystem.java:6405) at org.apache.hadoop= .hdfs.server.namenode.FSNamesystem.checkPathAccess(FSNamesystem.java:6330) = at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getListingInt(FSName= system.java:4867) at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.ge= tListing(FSNamesystem.java:4828) at org.apache.hadoop.hdfs.server.namenode.= NameNodeRpcServer.getListing(NameNodeRpcServer.java:811) at org.apache.hado= op.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getListing(= ClientNamenodeProtocolServerSideTranslatorPB.java:611) at org.apache.hadoop= .hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.= callBlockingMethod(ClientNamenodeProtocolProtos.java) at org.apache.hadoop.= ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java= :619) at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:962) at org.apache.= hadoop.ipc.Server$Handler$1.run(Server.java:2039) at org.apache.hadoop.ipc.= Server$Handler$1.run(Server.java:2035) at java.security.AccessController.do= Privileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:= 396) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInfor= mation.java:1614) at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2= 033) at sun.reflect.GeneratedConstructorAccessor68.newInstance(Unknown Sour= ce) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delegating= ConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstan= ce(Constructor.java:513) at org.apache.hadoop.ipc.RemoteException.instantia= teException(RemoteException.java:106) at org.apache.hadoop.ipc.RemoteExcept= ion.unwrapRemoteException(RemoteException.java:73) at org.apache.hadoop.hdf= s.DFSClient.listPaths(DFSClient.java:1907) at org.apache.hadoop.hdfs.DFSCli= ent.listPaths(DFSClient.java:1888) at org.apache.hadoop.hdfs.DistributedFil= eSystem.listStatusInternal(DistributedFileSystem.java:693) at org.apache.ha= doop.hdfs.DistributedFileSystem.access$600(DistributedFileSystem.java:105) = at org.apache.hadoop.hdfs.DistributedFileSystem$15.doCall(DistributedFileSy= stem.java:755) at org.apache.hadoop.hdfs.DistributedFileSystem$15.doCall(Di= stributedFileSystem.java:751) at org.apache.hadoop.fs.FileSystemLinkResolve= r.resolve(FileSystemLinkResolver.java:81) at org.apache.hadoop.hdfs.Distrib= utedFileSystem.listStatus(DistributedFileSystem.java:751) at org.apache.had= oop.fs.FileSystem.listStatus(FileSystem.java:1485) at org.apache.hadoop.fs.= FileSystem.listStatus(FileSystem.java:1525) at org.apache.falcon.entity.Ent= ityUtil.getAllStagingPaths(EntityUtil.java:544) ... 64 more Caused by: org.= apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlE= xception): Permission denied: user=3Dfalcon-dashboard, access=3DEXECUTE, in= ode=3D"/apps/falcon/primaryCluster/staging/falcon":hrt_qa:users:drwx------ = at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkFsPermis= sion(FSPermissionChecker.java:271) at org.apache.hadoop.hdfs.server.namenod= e.FSPermissionChecker.check(FSPermissionChecker.java:257) at org.apache.had= oop.hdfs.server.namenode.FSPermissionChecker.checkTraverse(FSPermissionChec= ker.java:208) at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker= .checkPermission(FSPermissionChecker.java:171) at org.apache.hadoop.hdfs.se= rver.namenode.FSNamesystem.checkPermission(FSNamesystem.java:6423) at org.a= pache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem= .java:6405) at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPat= hAccess(FSNamesystem.java:6330) at org.apache.hadoop.hdfs.server.namenode.F= SNamesystem.getListingInt(FSNamesystem.java:4867) at org.apache.hadoop.hdfs= .server.namenode.FSNamesystem.getListing(FSNamesystem.java:4828) at org.apa= che.hadoop.hdfs.server.namenode.NameNodeRpcServer.getListing(NameNodeRpcSer= ver.java:811) at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolSe= rverSideTranslatorPB.getListing(ClientNamenodeProtocolServerSideTranslatorP= B.java:611) at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocol= Protos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolPr= otos.java) at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInv= oker.call(ProtobufRpcEngine.java:619) at org.apache.hadoop.ipc.RPC$Server.c= all(RPC.java:962) at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java= :2039) at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2035) at j= ava.security.AccessController.doPrivileged(Native Method) at javax.security= .auth.Subject.doAs(Subject.java:396) at org.apache.hadoop.security.UserGrou= pInformation.doAs(UserGroupInformation.java:1614) at org.apache.hadoop.ipc.= Server$Handler.run(Server.java:2033) at org.apache.hadoop.ipc.Client.call(C= lient.java:1468) at org.apache.hadoop.ipc.Client.call(Client.java:1399) at = org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.ja= va:232) at $Proxy27.getListing(Unknown Source) at org.apache.hadoop.hdfs.pr= otocolPB.ClientNamenodeProtocolTranslatorPB.getListing(ClientNamenodeProtoc= olTranslatorPB.java:555) at sun.reflect.GeneratedMethodAccessor33.invoke(Un= known Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegating= MethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:= 597) at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(Retr= yInvocationHandler.java:187) at org.apache.hadoop.io.retry.RetryInvocationH= andler.invoke(RetryInvocationHandler.java:102) at $Proxy28.getListing(Unkno= wn Source) at org.apache.hadoop.hdfs.DFSClient.listPaths(DFSClient.java:190= 5) ... 74 more {code} This needs to be fixed by making html5-ui/js/falcon.js set USER_ID to "hrt_= qa" or whoever the user is, instead of defaulting to falcon-dashboard. This= means user should specify user.name=3D in query once, and falcon shou= ld remember this for subsequent REST api calls.=20 -- This message was sent by Atlassian JIRA (v6.3.4#6332)