tez-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bikas Saha (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TEZ-1640) Unable to achieve Secured Impersonation
Date Wed, 08 Oct 2014 20:02:36 GMT

    [ https://issues.apache.org/jira/browse/TEZ-1640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14164064#comment-14164064
] 

Bikas Saha commented on TEZ-1640:
---------------------------------

Can you please clarify/confirm the following

Your client runs as foo.
Your client starts TezClient as effective user bar (via the UGI.createProxyUser code).
This causes Tezclient to start the AM as user bar.
AM runs as user bar.
TezClient (running as effective bar) tries to contact the AM running as bar
TezClient gets error.

If the answer is yes to all of the above then please attach the client side and AM logs. Could
you please enabled debug logging on both the client and the AM.


> Unable to achieve Secured Impersonation
> ---------------------------------------
>
>                 Key: TEZ-1640
>                 URL: https://issues.apache.org/jira/browse/TEZ-1640
>             Project: Apache Tez
>          Issue Type: Bug
>    Affects Versions: 0.5.0
>            Reporter: Subroto Sanyal
>
> My client is running with user "subroto" and following are the entries in the xmls:
> {code:xml|title=core-site.xml|borderStyle=solid}
>                <property>
>                 <name>hadoop.proxyuser.subroto.groups</name>
>                 <value>impersonatedgroup</value>
>                 </property>
>                <property>
>                 <name>hadoop.proxyuser.subroto.hosts</name>
>                 <value>*</value>
>                </property>
> {code}
> I have a user _qa_ which belongs to the the group _impersonatedgroup_ .
> Following is the code to launch the DAGAppMaster
> {code:java|title=TezClientWrapper.java|borderStyle=solid}
> TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new PrivilegedExceptionAction<TezClient>()
{
>                 @Override
>                 public TezClient run() throws Exception {
>                     final TezConfiguration tezConf = createTezConf(conf, jobContext);
>                     if (amSpecificProperties != null) {
>                         applyAmSpecificProperties(tezConf, amSpecificProperties);
>                     }
>                     UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
>                     LOG.info("Current User:" + currentUser);
>                     File tokenFile = new File(System.getProperty("java.io.tmpdir"), tezSessionName.replaceAll("[^a-zA-Z0-9]",
""));
>                     LOG.info("Token File:" + tokenFile.getAbsolutePath());
>                     currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()),
conf);
>                     tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, tokenFile.getAbsolutePath());
>                     TezClient tezClient = TezClient.create(tezSessionName, tezConf, createSession,
localResourceMap, currentUser.getCredentials());
>                     tezClient.setAppMasterCredentials(currentUser.getCredentials());
>                     tezClient.start();
>                     tezClient.waitTillReady();
>                     return tezClient;
>                 }
>             });{code}
> The logs so obtained from this piece of code execution is:
> {noformat}Current User:qa (auth:PROXY) via subroto@EC2.INTERNAL (auth:KERBEROS){noformat}
> The  code piece fails in: _tezClient.waitTillReady();_
> From the Resource Manager UI I can see that a application is launched with user _qa_.
> Failure stack-trace:
> {noformat}
>  (UserGroupInformation.java:1551) - PriviledgedActionException as:qa (auth:SIMPLE) cause:java.io.IOException:
org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN,
KERBEROS]
> Failed to retrieve AM Status via proxy
> com.google.protobuf.ServiceException: java.io.IOException: Failed on local exception:
java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate
via:[TOKEN, KERBEROS]; Host Details : local host is: "ip-10-178-144-254/10.178.144.254"; destination
host is: "ip-10-187-33-206":56660;
>         at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216)
>         at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source)
>         at org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522)
>         at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597)
>         at test.app.TezClientWrapper$1.run(TezClientFacade.java:146)
>         at test.app.TezClientWrapper$1.run(TezClientFacade.java:130)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:396)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
>         at test.app.Security.doAs(Security.java:65)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message