hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yu Gao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2407) Users are not allowed to view their own jobs, denied by JobACLsManager
Date Mon, 11 Aug 2014 23:08:11 GMT

    [ https://issues.apache.org/jira/browse/YARN-2407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14093484#comment-14093484
] 

Yu Gao commented on YARN-2407:
------------------------------

After turn on debug, got this in ApplicationMaster log:
DEBUG [IPC Server handler 0 on 36796] org.apache.hadoop.mapred.JobACLsManager: checkAccess
job acls, jobOwner: yarn jobacl: VIEW_JOB user: user1

The jobOwner above is incorrect. It should be user1 since it was user1 who submitted the job.

This error is caused by an incorrect implementation in JobImpl, which has defined two 
user name fields:
username - user got from system property user.name, which is the container process owner
userName - the value is passed in via JobImpl constructor, which is the end user who has submitted
the job
The JobImpl#checkAccess method should have used userName as the job owner, instead of username.

> Users are not allowed to view their own jobs, denied by JobACLsManager
> ----------------------------------------------------------------------
>
>                 Key: YARN-2407
>                 URL: https://issues.apache.org/jira/browse/YARN-2407
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: applications
>    Affects Versions: 2.4.1
>            Reporter: Yu Gao
>
> Have a Hadoop 2.4.1 cluster with Yarn ACL enabled, and try to submit jobs as a non-admin
user user1. The job could be finished successfully, but the running progress was not displayed
correctly on the commad-line, and I got following in the corresponding ApplicationMaster log:
> INFO [IPC Server handler 0 on 56717] org.apache.hadoop.ipc.Server: IPC Server handler
0 on 56717, call org.apache.hadoop.mapreduce.v2.api.MRClientProtocolPB.getJobReport from 9.30.95.26:61024
Call#59 Retry#0
> org.apache.hadoop.security.AccessControlException: User user1 cannot perform operation
VIEW_JOB on job_1407456690588_0003
> 	at org.apache.hadoop.mapreduce.v2.app.client.MRClientService$MRClientProtocolHandler.verifyAndGetJob(MRClientService.java:191)
> 	at org.apache.hadoop.mapreduce.v2.app.client.MRClientService$MRClientProtocolHandler.getJobReport(MRClientService.java:233)
> 	at org.apache.hadoop.mapreduce.v2.api.impl.pb.service.MRClientProtocolPBServiceImpl.getJobReport(MRClientProtocolPBServiceImpl.java:122)
> 	at org.apache.hadoop.yarn.proto.MRClientProtocol$MRClientProtocolService$2.callBlockingMethod(MRClientProtocol.java:275)
> 	at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:585)
> 	at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:928)
> 	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2013)
> 	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2009)
> 	at java.security.AccessController.doPrivileged(AccessController.java:366)
> 	at javax.security.auth.Subject.doAs(Subject.java:572)
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1567)
> 	at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2007)



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message