Return-Path: 
 <mapreduce-issues-return-76838-apmail-hadoop-mapreduce-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B16F4177B8
	for <apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org>;
 Wed, 25 Mar 2015 19:00:57 +0000 (UTC)
Received: (qmail 82942 invoked by uid 500); 25 Mar 2015 19:00:57 -0000
Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org
Received: (qmail 82883 invoked by uid 500); 25 Mar 2015 19:00:57 -0000
Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:mapreduce-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:mapreduce-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:mapreduce-issues@hadoop.apache.org>
List-Id: <mapreduce-issues.hadoop.apache.org>
Reply-To: mapreduce-issues@hadoop.apache.org
Delivered-To: mailing list mapreduce-issues@hadoop.apache.org
Received: (qmail 82872 invoked by uid 99); 25 Mar 2015 19:00:57 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Mar 2015 19:00:57 +0000
Date: Wed, 25 Mar 2015 19:00:57 +0000 (UTC)
From: "Karthik Kambatla (JIRA)" <jira@apache.org>
To: mapreduce-issues@hadoop.apache.org
Message-ID: <JIRA.12785022.1427153084000.27242.1427310057392@Atlassian.JIRA>
In-Reply-To: <JIRA.12785022.1427153084000@Atlassian.JIRA>
References: <JIRA.12785022.1427153084000@Atlassian.JIRA>
 <JIRA.12785022.1427153084831@arcas>
Subject: [jira] [Commented] (MAPREDUCE-6288) mapred job -status fails with
 AccessControlException
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/MAPREDUCE-6288?page=3Dcom.atlas=
sian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D=
14380521#comment-14380521 ]=20

Karthik Kambatla commented on MAPREDUCE-6288:
---------------------------------------------

bq. History files are completely owned by MRJobHistoryServer and are only a=
ccessible through RPC and web-service interfaces together with auth + authz=
 checks. The file-names do contain a lot of information some of which is at=
 times considered sensitive. So we cannot change permissions like this.

I understand the file names and files themselves could contain sensitive in=
formation. IIRR, making the parent directories world-*executable* doesn't l=
et anyone read the contents.=20

In addition to Limits themselves, MAPREDUCE-5875 fixes another issue with c=
onfiguration. [~jarcec]'s email with details:=20
{code}
Configuration configuration =3D new Configuration();
configuration.set(=E2=80=9Cjarcec=E2=80=9D, =E2=80=9Cfeels awesome=E2=80=9D=
);
job.submit();

RunningJob runningJob =3D jobClient.getJob(job.getJobID().toString())
runningJob.getConfiguration().get(=E2=80=9Cjarcec=E2=80=9D);
{code}
The problem is that the configuration object returned by RunningJob does no=
t contain the property =E2=80=9Cjarcec=E2=80=9D that I=E2=80=99ve originall=
y stored in the job, even though that he properly is available in the job i=
tself (e.g. I can see it mapper/reducer/input format/output format).

> mapred job -status fails with AccessControlException=20
> -----------------------------------------------------
>
>                 Key: MAPREDUCE-6288
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-6288
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>    Affects Versions: 2.7.0
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Blocker
>         Attachments: MAPREDUCE-6288-gera-001.patch, MAPREDUCE-6288.patch
>
>
> After MAPREDUCE-5875, we're seeing this Exception when trying to do {{map=
red job -status job_1427080398288_0001}}
> {noformat}
> Exception in thread "main" org.apache.hadoop.security.AccessControlExcept=
ion: Permission denied: user=3Djenkins, access=3DEXECUTE, inode=3D"/user/hi=
story/done":mapred:hadoop:drwxrwx---
> =09at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider=
.checkFsPermission(DefaultAuthorizationProvider.java:257)
> =09at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider=
.check(DefaultAuthorizationProvider.java:238)
> =09at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider=
.checkTraverse(DefaultAuthorizationProvider.java:180)
> =09at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider=
.checkPermission(DefaultAuthorizationProvider.java:137)
> =09at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPer=
mission(FSPermissionChecker.java:138)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission=
(FSNamesystem.java:6553)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission=
(FSNamesystem.java:6535)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPathAccess=
(FSNamesystem.java:6460)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getBlockLocatio=
nsUpdateTimes(FSNamesystem.java:1919)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getBlockLocatio=
nsInt(FSNamesystem.java:1870)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getBlockLocatio=
ns(FSNamesystem.java:1850)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getBlockLocatio=
ns(FSNamesystem.java:1822)
> =09at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getBlockLo=
cations(NameNodeRpcServer.java:545)
> =09at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyCl=
ientProtocol.getBlockLocations(AuthorizationProviderProxyClientProtocol.jav=
a:87)
> =09at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideT=
ranslatorPB.getBlockLocations(ClientNamenodeProtocolServerSideTranslatorPB.=
java:363)
> =09at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$=
ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.ja=
va)
> =09at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.c=
all(ProtobufRpcEngine.java:619)
> =09at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1060)
> =09at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2044)
> =09at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2040)
> =09at java.security.AccessController.doPrivileged(Native Method)
> =09at javax.security.auth.Subject.doAs(Subject.java:415)
> =09at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInfor=
mation.java:1671)
> =09at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2038)
> =09at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Metho=
d)
> =09at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstru=
ctorAccessorImpl.java:57)
> =09at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delegatin=
gConstructorAccessorImpl.java:45)
> =09at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> =09at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteEx=
ception.java:106)
> =09at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteE=
xception.java:73)
> =09at org.apache.hadoop.hdfs.DFSClient.callGetBlockLocations(DFSClient.ja=
va:1213)
> =09at org.apache.hadoop.hdfs.DFSClient.getLocatedBlocks(DFSClient.java:12=
01)
> =09at org.apache.hadoop.hdfs.DFSClient.getLocatedBlocks(DFSClient.java:11=
91)
> =09at org.apache.hadoop.hdfs.DFSInputStream.fetchLocatedBlocksAndGetLastB=
lockLength(DFSInputStream.java:299)
> =09at org.apache.hadoop.hdfs.DFSInputStream.openInfo(DFSInputStream.java:=
265)
> =09at org.apache.hadoop.hdfs.DFSInputStream.<init>(DFSInputStream.java:25=
7)
> =09at org.apache.hadoop.hdfs.DFSClient.open(DFSClient.java:1490)
> =09at org.apache.hadoop.hdfs.DistributedFileSystem$3.doCall(DistributedFi=
leSystem.java:302)
> =09at org.apache.hadoop.hdfs.DistributedFileSystem$3.doCall(DistributedFi=
leSystem.java:298)
> =09at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkR=
esolver.java:81)
> =09at org.apache.hadoop.hdfs.DistributedFileSystem.open(DistributedFileSy=
stem.java:298)
> =09at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:766)
> =09at org.apache.hadoop.mapreduce.Cluster.getJob(Cluster.java:190)
> =09at org.apache.hadoop.mapreduce.tools.CLI.run(CLI.java:264)
> =09at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
> =09at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:84)
> =09at org.apache.hadoop.mapred.JobClient.main(JobClient.java:1239)
> Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.securi=
ty.AccessControlException): Permission denied: user=3Djenkins, access=3DEXE=
CUTE, inode=3D"/user/history2/done":mapred:hadoop:drwxrwx---
> =09at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider=
.checkFsPermission(DefaultAuthorizationProvider.java:257)
> =09at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider=
.check(DefaultAuthorizationProvider.java:238)
> =09at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider=
.checkTraverse(DefaultAuthorizationProvider.java:180)
> =09at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider=
.checkPermission(DefaultAuthorizationProvider.java:137)
> =09at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPer=
mission(FSPermissionChecker.java:138)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission=
(FSNamesystem.java:6553)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission=
(FSNamesystem.java:6535)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPathAccess=
(FSNamesystem.java:6460)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getBlockLocatio=
nsUpdateTimes(FSNamesystem.java:1919)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getBlockLocatio=
nsInt(FSNamesystem.java:1870)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getBlockLocatio=
ns(FSNamesystem.java:1850)
> =09at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getBlockLocatio=
ns(FSNamesystem.java:1822)
> =09at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getBlockLo=
cations(NameNodeRpcServer.java:545)
> =09at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyCl=
ientProtocol.getBlockLocations(AuthorizationProviderProxyClientProtocol.jav=
a:87)
> =09at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideT=
ranslatorPB.getBlockLocations(ClientNamenodeProtocolServerSideTranslatorPB.=
java:363)
> =09at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$=
ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.ja=
va)
> =09at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.c=
all(ProtobufRpcEngine.java:619)
> =09at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1060)
> =09at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2044)
> =09at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2040)
> =09at java.security.AccessController.doPrivileged(Native Method)
> =09at javax.security.auth.Subject.doAs(Subject.java:415)
> =09at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInfor=
mation.java:1671)
> =09at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2038)
> =09at org.apache.hadoop.ipc.Client.call(Client.java:1468)
> =09at org.apache.hadoop.ipc.Client.call(Client.java:1399)
> =09at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcE=
ngine.java:232)
> =09at com.sun.proxy.$Proxy17.getBlockLocations(Unknown Source)
> =09at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorP=
B.getBlockLocations(ClientNamenodeProtocolTranslatorPB.java:254)
> =09at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> =09at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp=
l.java:57)
> =09at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc=
essorImpl.java:43)
> =09at java.lang.reflect.Method.invoke(Method.java:606)
> =09at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(Retr=
yInvocationHandler.java:187)
> =09at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvoc=
ationHandler.java:102)
> =09at com.sun.proxy.$Proxy18.getBlockLocations(Unknown Source)
> =09at org.apache.hadoop.hdfs.DFSClient.callGetBlockLocations(DFSClient.ja=
va:1211)
> =09... 16 more
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)