hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod Kumar Vavilapalli (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MAPREDUCE-3417) job access controls not working app master and job history UI's
Date Fri, 03 Feb 2012 21:18:54 GMT

     [ https://issues.apache.org/jira/browse/MAPREDUCE-3417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Vinod Kumar Vavilapalli updated MAPREDUCE-3417:
-----------------------------------------------

    Fix Version/s: 0.23.1
           Status: Open  (was: Patch Available)

Looks good overall. The fix for the main issue is fine. Haven't tested it myself, relying
on your tests. Few minor comments: 
 - Instead of Hadoop authorization flag, we should instead be looking at YarnConfiguration#YARN_ACL_ENABLE.
It is debatable whether we need a separate config item besides hadoop-auth flag, but let us
resolve that separately and be consistent here.
 - Good job on the test! But we shouldn't be needing to set MRConfig.MR_ACLS_ENABLED as that
is a MRV1 config which we don't want to use here at all.
 - Am not sure of the expected behavior of the proxy. Can Robert/Thomas pitch in?
                
> job access controls not working app master and job history UI's
> ---------------------------------------------------------------
>
>                 Key: MAPREDUCE-3417
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3417
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: mrv2
>    Affects Versions: 0.23.0
>            Reporter: Thomas Graves
>            Assignee: Jonathan Eagles
>            Priority: Blocker
>             Fix For: 0.23.1
>
>         Attachments: MAPREDUCE-3417.patch, MAPREDUCE-3417.patch, MAPREDUCE-3417.patch,
MAPREDUCE-3417.patch, MAPREDUCE-3417.patch, MAPREDUCE-3417.patch
>
>
> tested with security on, no filters defined for httpserver, job acls set so that only
I could view/modify the job.  Then went to the web ui to app master and job history server
and both allowed me to view the job details.  The webui shows the user "webuser".   The RM
properly rejected my request although it was using user "Dr.Who".    
> The exception shown in the log is:
> 11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
> 11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception trying to
get groups for user webuser
> org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user
>         at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
>         at org.apache.hadoop.util.Shell.run(Shell.java:188)
>         at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
>         at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
>         at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
>         at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
>         at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
>         at org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
>         at org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
>         at org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message