Return-Path: 
 <issues-return-11788-apmail-tez-issues-archive=tez.apache.org@tez.apache.org>
X-Original-To: apmail-tez-issues-archive@minotaur.apache.org
Delivered-To: apmail-tez-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2711617251
	for <apmail-tez-issues-archive@minotaur.apache.org>;
 Mon,  6 Oct 2014 15:43:35 +0000 (UTC)
Received: (qmail 76385 invoked by uid 500); 6 Oct 2014 15:43:34 -0000
Delivered-To: apmail-tez-issues-archive@tez.apache.org
Received: (qmail 76200 invoked by uid 500); 6 Oct 2014 15:43:34 -0000
Mailing-List: contact issues-help@tez.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@tez.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@tez.apache.org>
List-Post: <mailto:issues@tez.apache.org>
List-Id: <issues.tez.apache.org>
Reply-To: dev@tez.apache.org
Delivered-To: mailing list issues@tez.apache.org
Received: (qmail 76034 invoked by uid 99); 6 Oct 2014 15:43:34 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2014 15:43:34 +0000
Date: Mon, 6 Oct 2014 15:43:34 +0000 (UTC)
From: "Subroto Sanyal (JIRA)" <jira@apache.org>
To: issues@tez.apache.org
Message-ID: <JIRA.12746168.1412610191000.198048.1412610214116@Atlassian.JIRA>
In-Reply-To: <JIRA.12746168.1412610191000@Atlassian.JIRA>
References: <JIRA.12746168.1412610191000@Atlassian.JIRA>
 <JIRA.12746168.1412610191839@arcas>
Subject: [jira] [Created] (TEZ-1640) Unable to achieve Secured Impersonation
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Subroto Sanyal created TEZ-1640:
-----------------------------------

             Summary: Unable to achieve Secured Impersonation
                 Key: TEZ-1640
                 URL: https://issues.apache.org/jira/browse/TEZ-1640
             Project: Apache Tez
          Issue Type: Bug
    Affects Versions: 0.5.0
            Reporter: Subroto Sanyal


My client is running with user "subroto" and following are the entries in the xmls:
{code:xml|title=core-site.xml|borderStyle=solid}
               <property>
                <name>hadoop.proxyuser.subroto.groups</name>
                <value>impersonatedgroup</value>
                </property>

               <property>
                <name>hadoop.proxyuser.subroto.hosts</name>
                <value>*</value>
               </property>
{code}

I have a user _qa_ which belongs to the the group _impersonatedgroup_ .
Following is the code to launch the DAGAppMaster
{code:java|title=TezClientWrapper.java|borderStyle=solid}
TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new PrivilegedExceptionAction<TezClient>() {
                @Override
                public TezClient run() throws Exception {
                    final TezConfiguration tezConf = createTezConf(conf, datameerJobContext);
                    if (amSpecificProperties != null) {
                        applyAmSpecificProperties(tezConf, amSpecificProperties);
                    }

                    UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
                    LOG.info("Current User:" + currentUser);
                    File tokenFile = new File(System.getProperty("java.io.tmpdir"), tezSessionName.replaceAll("[^a-zA-Z0-9]", ""));
                    LOG.info("Token File:" + tokenFile.getAbsolutePath());
                    currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()), conf);
                    tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, tokenFile.getAbsolutePath());
                    TezClient tezClient = TezClient.create(tezSessionName, tezConf, createSession, localResourceMap, currentUser.getCredentials());
                    tezClient.setAppMasterCredentials(currentUser.getCredentials());
                    tezClient.start();
                    tezClient.waitTillReady();
                    return tezClient;
                }
            });{code}

The logs so obtained from this piece of code execution is:
{noformat}Current User:qa (auth:PROXY) via subroto@EC2.INTERNAL (auth:KERBEROS){noformat}

The  code piece fails in: _tezClient.waitTillReady();_
>From the Resource Manager UI I can see that a application is launched with user _qa_.
Failure stack-trace:
{noformat}
 (UserGroupInformation.java:1551) - PriviledgedActionException as:qa (auth:SIMPLE) cause:java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
Failed to retrieve AM Status via proxy
com.google.protobuf.ServiceException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "ip-10-178-144-254/10.178.144.254"; destination host is: "ip-10-187-33-206":56660;
        at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216)
        at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source)
        at org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522)
        at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597)
        at test.app.TezClientWrapper$1.run(TezClientFacade.java:146)
        at test.app.TezClientWrapper$1.run(TezClientFacade.java:130)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
        at test.app.Security.doAs(Security.java:65)
{noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)