Return-Path: 
 <mapreduce-issues-return-47652-apmail-hadoop-mapreduce-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E335FC47C
	for <apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org>;
 Fri,  8 Jun 2012 13:53:23 +0000 (UTC)
Received: (qmail 47549 invoked by uid 500); 8 Jun 2012 13:53:23 -0000
Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org
Received: (qmail 47517 invoked by uid 500); 8 Jun 2012 13:53:23 -0000
Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:mapreduce-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:mapreduce-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:mapreduce-issues@hadoop.apache.org>
List-Id: <mapreduce-issues.hadoop.apache.org>
Reply-To: mapreduce-issues@hadoop.apache.org
Delivered-To: mailing list mapreduce-issues@hadoop.apache.org
Received: (qmail 47508 invoked by uid 99); 8 Jun 2012 13:53:23 -0000
Received: from issues-vm.apache.org (HELO issues-vm) (140.211.11.160)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jun 2012 13:53:23 +0000
Received: from isssues-vm.apache.org (localhost [127.0.0.1])
	by issues-vm (Postfix) with ESMTP id 60E9C140BEF
	for <mapreduce-issues@hadoop.apache.org>;
 Fri,  8 Jun 2012 13:53:23 +0000 (UTC)
Date: Fri, 8 Jun 2012 13:53:23 +0000 (UTC)
From: "Harsh J (JIRA)" <jira@apache.org>
To: mapreduce-issues@hadoop.apache.org
Message-ID: <62473614.53037.1339163603399.JavaMail.jiratomcat@issues-vm>
In-Reply-To: <1171002433.52402.1339153043386.JavaMail.jiratomcat@issues-vm>
Subject: [jira] [Commented] (MAPREDUCE-4329)
 security.task.umbilical.protocol.acl should not be configurable
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/MAPREDUCE-4329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13291781#comment-13291781 ] 

Harsh J commented on MAPREDUCE-4329:
------------------------------------

I think removing its config from the docs/default policy files (if that works) or documenting that this should never be changed from '*' should be good enough. We should let it exist in the policy set (as its supposed to be a complete list).

The real problem is that users may change this/care about changing it, which is a wrong thing to do.
                
> security.task.umbilical.protocol.acl should not be configurable
> ---------------------------------------------------------------
>
>                 Key: MAPREDUCE-4329
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-4329
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.3
>            Reporter: Sho Shimauchi
>
> On running MapReduce job, username is changed to jobid and the job fails.
> Exception is as follows:
> {code}
> 2012-06-08 19:39:26,555 WARN org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user job_201206081934_0002
> org.apache.hadoop.util.Shell$ExitCodeException: id: job_201206081934_0002: no such user
>         at org.apache.hadoop.util.Shell.runCommand(Shell.java:255)
>         at org.apache.hadoop.util.Shell.run(Shell.java:182)
>         at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:375)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:461)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:444)
>         at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:68)
>         at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:45)
>         at org.apache.hadoop.security.Groups.getGroups(Groups.java:79)
>         at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1026)
>         at org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:141)
>         at org.apache.hadoop.security.authorize.ServiceAuthorizationManager.authorize(ServiceAuthorizationManager.java:99)
>         at org.apache.hadoop.ipc.Server.authorize(Server.java:1659)
>         at org.apache.hadoop.ipc.Server$Connection.authorizeConnection(Server.java:1320)
>         at org.apache.hadoop.ipc.Server$Connection.processOneRpc(Server.java:1286)
>         at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1182)
>         at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537)
>         at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>         at java.lang.Thread.run(Thread.java:680)
> {code}
> This issue can be reproduced by following steps:
> 1. set hadoop.security.authorization = true in core-site.xml
> {code}
>   <property>
>     <name>hadoop.security.authorization</name>
>     <value>true</value>
>   </property>
> {code}
> 2. set any value except for '*' to security.task.umbilical.protocol.acl in hadoop-policy.xml
> {code}
>   <property>
>     <name>security.task.umbilical.protocol.acl</name>
>     <value>sho sho</value>
>     <description>ACL for TaskUmbilicalProtocol, used by the map and reduce 
>     tasks to communicate with the parent tasktracker. 
>     The ACL is a comma-separated list of user and group names. The user and 
>     group list is separated by a blank. For e.g. "alice,bob users,wheel". 
>     A special value of "*" means all users are allowed.</description>
>   </property>
> {code}
> 3. run any mapreduce job.
> h4. Code Analysis
> ./src/mapred/org/apache/hadoop/mapred/Child.java:102-118
> {code}
>     UserGroupInformation taskOwner 
>      = UserGroupInformation.createRemoteUser(firstTaskid.getJobID().toString());
>     taskOwner.addToken(jt);
>     
>     // Set the credentials
>     defaultConf.setCredentials(credentials);
>     
>     final TaskUmbilicalProtocol umbilical = 
>       taskOwner.doAs(new PrivilegedExceptionAction<TaskUmbilicalProtocol>() {
>         @Override
>         public TaskUmbilicalProtocol run() throws Exception {
>           return (TaskUmbilicalProtocol)RPC.getProxy(TaskUmbilicalProtocol.class,
>               TaskUmbilicalProtocol.versionID,
>               address,
>               defaultConf);
>         }
>     });
> {code}
> This code indicates that TaskUmbilicalProtocol uses jobid as username.
> This code came from MAPREDUCE-1457. 
> https://issues.apache.org/jira/browse/MAPREDUCE-1457
> Devaraj said as follows in the JIRA:
> {quote}
> 2) In Child.java, the task authenticates to the TaskTracker using the jobtoken. The username in the jobtoken is jobId. The doAs block done using taskOwner is required so that the username mentioned in the token and the one doing the operation matches.
> {quote}
> We can't change security.task.umbilical.protocol.acl and should always be '*' .
> TaskUmbilicalProtocol should be removed from MapReducePolicyProvider to disable security.task.umbilical.protocol.acl.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira