Return-Path: 
 <mapreduce-issues-return-33813-apmail-hadoop-mapreduce-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 10531970A
	for <apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org>;
 Wed, 16 Nov 2011 21:02:17 +0000 (UTC)
Received: (qmail 48587 invoked by uid 500); 16 Nov 2011 21:02:13 -0000
Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org
Received: (qmail 48521 invoked by uid 500); 16 Nov 2011 21:02:13 -0000
Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:mapreduce-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:mapreduce-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:mapreduce-issues@hadoop.apache.org>
List-Id: <mapreduce-issues.hadoop.apache.org>
Reply-To: mapreduce-issues@hadoop.apache.org
Delivered-To: mailing list mapreduce-issues@hadoop.apache.org
Received: (qmail 48505 invoked by uid 99); 16 Nov 2011 21:02:13 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Nov 2011 21:02:13 +0000
X-ASF-Spam-Status: No, hits=-2001.2 required=5.0
	tests=ALL_TRUSTED,RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Nov 2011 21:02:11 +0000
Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116])
	by hel.zones.apache.org (Postfix) with ESMTP id DD53E8825B
	for <mapreduce-issues@hadoop.apache.org>;
 Wed, 16 Nov 2011 21:01:51 +0000 (UTC)
Date: Wed, 16 Nov 2011 21:01:51 +0000 (UTC)
From: "Thomas Graves (Created) (JIRA)" <jira@apache.org>
To: mapreduce-issues@hadoop.apache.org
Message-ID: 
 <1478354833.36212.1321477311908.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Created] (MAPREDUCE-3417) job access controls let invalid
 user see job info via web ui when they shouldn't be able to
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

job access controls let invalid user see job info via web ui when they shouldn't be able to
-------------------------------------------------------------------------------------------

                 Key: MAPREDUCE-3417
                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3417
             Project: Hadoop Map/Reduce
          Issue Type: Bug
          Components: mrv2
    Affects Versions: 0.23.0
            Reporter: Thomas Graves
            Priority: Critical


tested with security on, no filters defined for httpserver, job acls set so that only I could view/modify the job.  Then went to the web ui to app master and job history server and both allowed me to view the job details.  The webui shows the user "webuser".   The RM properly rejected my request although it was using user "Dr.Who".    


The exception shown in the log is:
11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user webuser
org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user

        at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
        at org.apache.hadoop.util.Shell.run(Shell.java:188)
        at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
        at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
        at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
        at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
        at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
        at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
        at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
        at org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
        at org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
        at org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
        at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
        at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
        at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira