Return-Path: X-Original-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AA0529660 for ; Mon, 30 Jan 2012 23:53:33 +0000 (UTC) Received: (qmail 96040 invoked by uid 500); 30 Jan 2012 23:53:32 -0000 Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org Received: (qmail 95841 invoked by uid 500); 30 Jan 2012 23:53:32 -0000 Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: mapreduce-issues@hadoop.apache.org Delivered-To: mailing list mapreduce-issues@hadoop.apache.org Received: (qmail 95821 invoked by uid 99); 30 Jan 2012 23:53:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jan 2012 23:53:31 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jan 2012 23:53:30 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 6D3F316E56B for ; Mon, 30 Jan 2012 23:53:10 +0000 (UTC) Date: Mon, 30 Jan 2012 23:53:10 +0000 (UTC) From: "Vinod Kumar Vavilapalli (Resolved) (JIRA)" To: mapreduce-issues@hadoop.apache.org Message-ID: <1581450429.9815.1327967590448.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1572994509.38682.1326482800877.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Resolved] (MAPREDUCE-3668) AccessControlException when running mapred job -list command MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/MAPREDUCE-3668?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vinod Kumar Vavilapalli resolved MAPREDUCE-3668. ------------------------------------------------ Resolution: Duplicate This is fixed after MAPREDUCE-3720 removed the per-AM information from "job -list". Closing this as duplicate. > AccessControlException when running mapred job -list command > ------------------------------------------------------------ > > Key: MAPREDUCE-3668 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-3668 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: client, mrv2, security > Affects Versions: 0.23.1 > Reporter: Jason Lowe > Assignee: Vinod Kumar Vavilapalli > Priority: Blocker > > If a user tries to examine the status of all jobs running on a secure cluster the mapred client can fail with an AccessControlException. For example, submitting two jobs each from a different user then trying to query the status as the second user can fail like this: > $ mapred job -list all > 12/01/12 20:01:12 WARN conf.Configuration: mapred.used.genericoptionsparser is deprecated. Instead, use > mapreduce.client.genericoptionsparser.used > Total jobs:2 > JobId State StartTime UserName Queue Priority Maps Reduces UsedContainers RsvdContainers UsedMem RsvdMem NeededMem AM info > 12/01/12 20:01:14 INFO mapred.ClientServiceDelegate: Application state is completed. FinalApplicationStatus=SUCCEEDED. Redirecting to job history server > job_1326396427223_0002 SUCCEEDED 1326398424244 user2 default NORMAL 2 2 0 0 0M 0M 0M > hostremoved:8088/proxy/application_1326396427223_0002/jobhistory/job/job_1326396427223_2_2 > 12/01/12 20:01:14 INFO mapred.ClientServiceDelegate: Application state is completed. FinalApplicationStatus=SUCCEEDED. Redirecting to job history server > 12/01/12 20:01:14 WARN mapred.ClientServiceDelegate: Error from remote end: User user2 cannot perform operation VIEW_JOB on job_1326396427223_0001 > Exception in thread "main" RemoteTrace: > java.security.AccessControlException: User user2 cannot perform operation VIEW_JOB on job_1326396427223_0001 > at org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.checkAccess(HistoryClientService.java:293) > at org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.verifyAndGetJob(HistoryClientService.java:184) > at org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.getJobReport(HistoryClientService.java:200) > at org.apache.hadoop.mapreduce.v2.api.impl.pb.service.MRClientProtocolPBServiceImpl.getJobReport(MRClientProtocolPBServiceImpl.java:106) > at org.apache.hadoop.yarn.proto.MRClientProtocol$MRClientProtocolService$2.callBlockingMethod(MRClientProtocol.java:187) > at org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Server.call(ProtoOverHadoopRpcEngine.java:344) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:1490) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:1486) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:396) > at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1157) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:1484) > at Local Trace: > org.apache.hadoop.yarn.exceptions.impl.pb.YarnRemoteExceptionPBImpl: User user2 cannot perform operation VIEW_JOB on job_1326396427223_0001 > at org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:151) > at $Proxy10.getJobReport(Unknown Source) > at org.apache.hadoop.mapreduce.v2.api.impl.pb.client.MRClientProtocolPBClientImpl.getJobReport(MRClientProtocolPBClientImpl.java:104) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.hadoop.mapred.ClientServiceDelegate.invoke(ClientServiceDelegate.java:328) > at org.apache.hadoop.mapred.ClientServiceDelegate.getJobStatus(ClientServiceDelegate.java:405) > at org.apache.hadoop.mapred.YARNRunner.getJobStatus(YARNRunner.java:431) > at org.apache.hadoop.mapreduce.Cluster.getJob(Cluster.java:186) > at org.apache.hadoop.mapreduce.tools.CLI.displayJobList(CLI.java:571) > at org.apache.hadoop.mapreduce.tools.CLI.listAllJobs(CLI.java:500) > at org.apache.hadoop.mapreduce.tools.CLI.run(CLI.java:298) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:69) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:83) > at org.apache.hadoop.mapred.JobClient.main(JobClient.java:1209) > The information provided by the command is similar to what is presented on the ResourceManager web UI, and that page has no security. > Marking this as a blocker since many of our automated acceptance tests use this command to obtain the status of jobs running in the cluster. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira