Return-Path: 
 <mapreduce-issues-return-39815-apmail-hadoop-mapreduce-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3A96D9FE3
	for <apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org>;
 Thu,  2 Feb 2012 23:33:18 +0000 (UTC)
Received: (qmail 87543 invoked by uid 500); 2 Feb 2012 23:33:18 -0000
Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org
Received: (qmail 87474 invoked by uid 500); 2 Feb 2012 23:33:17 -0000
Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:mapreduce-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:mapreduce-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:mapreduce-issues@hadoop.apache.org>
List-Id: <mapreduce-issues.hadoop.apache.org>
Reply-To: mapreduce-issues@hadoop.apache.org
Delivered-To: mailing list mapreduce-issues@hadoop.apache.org
Received: (qmail 87458 invoked by uid 99); 2 Feb 2012 23:33:17 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Feb 2012 23:33:17 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED,T_RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Feb 2012 23:33:14 +0000
Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116])
	by hel.zones.apache.org (Postfix) with ESMTP id 8C6C91893F9
	for <mapreduce-issues@hadoop.apache.org>;
 Thu,  2 Feb 2012 23:32:53 +0000 (UTC)
Date: Thu, 2 Feb 2012 23:32:53 +0000 (UTC)
From: "Jonathan Eagles (Updated) (JIRA)" <jira@apache.org>
To: mapreduce-issues@hadoop.apache.org
Message-ID: 
 <962956714.5585.1328225573576.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <1478354833.36212.1321477311908.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Updated] (MAPREDUCE-3417) job access controls not working
 app master and job history UI's
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
X-Virus-Checked: Checked by ClamAV on apache.org


     [ https://issues.apache.org/jira/browse/MAPREDUCE-3417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jonathan Eagles updated MAPREDUCE-3417:
---------------------------------------

    Status: Patch Available  (was: Open)
    
> job access controls not working app master and job history UI's
> ---------------------------------------------------------------
>
>                 Key: MAPREDUCE-3417
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3417
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: mrv2
>    Affects Versions: 0.23.0
>            Reporter: Thomas Graves
>            Assignee: Jonathan Eagles
>            Priority: Blocker
>         Attachments: MAPREDUCE-3417.patch, MAPREDUCE-3417.patch, MAPREDUCE-3417.patch, MAPREDUCE-3417.patch
>
>
> tested with security on, no filters defined for httpserver, job acls set so that only I could view/modify the job.  Then went to the web ui to app master and job history server and both allowed me to view the job details.  The webui shows the user "webuser".   The RM properly rejected my request although it was using user "Dr.Who".    
> The exception shown in the log is:
> 11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
> 11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user webuser
> org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user
>         at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
>         at org.apache.hadoop.util.Shell.run(Shell.java:188)
>         at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
>         at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
>         at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
>         at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
>         at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
>         at org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
>         at org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
>         at org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
>         at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira