hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eagles (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MAPREDUCE-3417) job access controls not working app master and job history UI's
Date Fri, 03 Feb 2012 20:48:55 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-3417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13200030#comment-13200030
] 

Jonathan Eagles commented on MAPREDUCE-3417:
--------------------------------------------

I have tried to access via the trackinging url both the AM and JHS job and task pages both
with authorization off, simple authorization on, and kerberos authorization on. I have tested
that the job owner always has access to those pages. I have tested non-owner with view acls
(both via allAccess -> * and specific users). I have also tested this with both static
http users as well as using a custom filter.
.

                
> job access controls not working app master and job history UI's
> ---------------------------------------------------------------
>
>                 Key: MAPREDUCE-3417
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3417
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: mrv2
>    Affects Versions: 0.23.0
>            Reporter: Thomas Graves
>            Assignee: Jonathan Eagles
>            Priority: Blocker
>         Attachments: MAPREDUCE-3417.patch, MAPREDUCE-3417.patch, MAPREDUCE-3417.patch,
MAPREDUCE-3417.patch, MAPREDUCE-3417.patch, MAPREDUCE-3417.patch
>
>
> tested with security on, no filters defined for httpserver, job acls set so that only
I could view/modify the job.  Then went to the web ui to app master and job history server
and both allowed me to view the job details.  The webui shows the user "webuser".   The RM
properly rejected my request although it was using user "Dr.Who".    
> The exception shown in the log is:
> 11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
> 11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception trying to
get groups for user webuser
> org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user
>         at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
>         at org.apache.hadoop.util.Shell.run(Shell.java:188)
>         at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
>         at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
>         at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
>         at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
>         at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
>         at org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
>         at org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
>         at org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message