Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-25139

Yarn Capacity Scheduler Authorization issues due to AuthToLocal Rules

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      Yarn Capacity Scheduler is having issues with authorization if AuthToLocal rules are enabled.

      Problem Statement : I am logging as LDAP User synced with ambari with my username contains spaces : For example : 'Akhil Naik' . the User is a Ambari Admin user.

      In Core-site.xml the AuthToLocal rules are set :

      RULE:[1:$1](. *.*)s/ /_/g
      

      it will display :

      "Warning! You do not have permission to edit the Capacity Scheduler configuration. Contact your Cluster administrator."

      and logs state :

      The authenticated user is not authorized to perform the requested operation28 Jan 2019 17:56:03,488 ERROR [ambari-client-thread-277] [CAPACITY-SCHEDULER 1.0.0 AUTO_CS_INSTANCE] ConfigurationService:333 - Got Error response from url : /api/v1/users/chitrartha_sur?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=v01eaedl). Response : {
        "status" : 403,
        "message" : "The authenticated user is not authorized to perform the requested operation"
      }
      org.apache.ambari.view.AmbariHttpException: {
        "status" : 403,
        "message" : "The authenticated user is not authorized to perform the requested operation"
      }
              at org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:135)
              at org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:123)
              at org.apache.ambari.server.view.ViewAmbariStreamProvider.readFrom(ViewAmbariStreamProvider.java:85)
              at org.apache.ambari.view.utils.ambari.AmbariApi.readFromAmbari(AmbariApi.java:130)
              at org.apache.ambari.view.capacityscheduler.ConfigurationService.isOperator(ConfigurationService.java:322)
              at org.apache.ambari.view.capacityscheduler.ConfigurationService.getPrivilege(ConfigurationService.java:239)
      

      Root cause:
      Currently After Fix of : https://issues.apache.org/jira/browse/AMBARI-14503 , I see Ambari Server is Converting AuthToLocal Changes for Usernames(Code : https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java#L233 )

      and Yarn capacity Scheulder is calling this method (https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/contrib/views/capacity-scheduler/src/main/java/org/apache/ambari/view/capacityscheduler/ConfigurationService.java#L319) , Ambari Server rejects the Request Stating No Permission.

      Ideally Yarn Capacity Scheduler should be calling : context. getLoggedinUser() instead of context. getUsername()

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            asnaik Akhil Naik
            asnaik Akhil Naik
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 3h 40m
                3h 40m

                Slack

                  Issue deployment