hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Storck (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
Date Fri, 28 Jul 2017 22:50:02 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jeff Storck updated HADOOP-14699:
---------------------------------
    Description: 
Multiple principals that are logged in using UGI instances that are instantiated from a UGI
class loaded by the same classloader will encounter problems when the second principal attempts
to relogin and perform an action using a UGI.doAs().  An impersonation will occur and the
operation attempted by the second principal after relogging in will fail.  There should not
be an implicit attempt to impersonate the second principal through the first principal that
logged in.

I have created  a GitHub project that exhibits the impersonation error with brief instructions
on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test

{{18:44:55.687 [pool-2-thread-2] WARN  h.u.U.UgiRunnable.ugitest2@EXAMPLE.COM - Unexpected
exception while performing task for [ugitest2@EXAMPLE.COM (auth:KERBEROS)]
org.apache.hadoop.ipc.RemoteException: User: ugitest1@EXAMPLE.COM is not allowed to impersonate
ugitest2@EXAMPLE.COM
	at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481)
	at org.apache.hadoop.ipc.Client.call(Client.java:1427)
	at org.apache.hadoop.ipc.Client.call(Client.java:1337)
	at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227)
	at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116)
	at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source)
	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398)
	at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163)
	at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155)
	at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95)
	at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335)
	at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
	at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700)
	at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436)
	at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433)
	at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
	at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448)
	at hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807)
	at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)}}

  was:
Multiple principals that are logged in using UGI instances that are instantiated from a UGI
class loaded by the same classloader will encounter problems when the second principal attempts
to relogin and perform an action using a UGI.doAs().  An impersonation will occur and the
operation attempted by the second principal after relogging in will fail.

I have created  a GitHub project that exhibits the impersonation error with brief instructions
on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test




> Impersonation errors with UGI after second principal relogin
> ------------------------------------------------------------
>
>                 Key: HADOOP-14699
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14699
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>    Affects Versions: 2.6.2, 2.7.3, 2.8.1
>            Reporter: Jeff Storck
>
> Multiple principals that are logged in using UGI instances that are instantiated from
a UGI class loaded by the same classloader will encounter problems when the second principal
attempts to relogin and perform an action using a UGI.doAs().  An impersonation will occur
and the operation attempted by the second principal after relogging in will fail.  There should
not be an implicit attempt to impersonate the second principal through the first principal
that logged in.
> I have created  a GitHub project that exhibits the impersonation error with brief instructions
on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test
> {{18:44:55.687 [pool-2-thread-2] WARN  h.u.U.UgiRunnable.ugitest2@EXAMPLE.COM - Unexpected
exception while performing task for [ugitest2@EXAMPLE.COM (auth:KERBEROS)]
> org.apache.hadoop.ipc.RemoteException: User: ugitest1@EXAMPLE.COM is not allowed to impersonate
ugitest2@EXAMPLE.COM
> 	at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481)
> 	at org.apache.hadoop.ipc.Client.call(Client.java:1427)
> 	at org.apache.hadoop.ipc.Client.call(Client.java:1337)
> 	at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227)
> 	at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116)
> 	at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source)
> 	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:498)
> 	at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398)
> 	at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163)
> 	at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155)
> 	at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95)
> 	at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335)
> 	at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
> 	at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700)
> 	at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436)
> 	at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433)
> 	at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
> 	at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448)
> 	at hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:422)
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807)
> 	at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:745)}}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message