Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.6.2, 2.7.3
Description
Yarn Capacity Scheduler is having issues with authorization if AuthToLocal rules are enabled.
Problem Statement : I am logging as LDAP User synced with ambari with my username contains spaces : For example : 'Akhil Naik' . the User is a Ambari Admin user.
In Core-site.xml the AuthToLocal rules are set :
RULE:[1:$1](. *.*)s/ /_/g
it will display :
"Warning! You do not have permission to edit the Capacity Scheduler configuration. Contact your Cluster administrator."
and logs state :
The authenticated user is not authorized to perform the requested operation28 Jan 2019 17:56:03,488 ERROR [ambari-client-thread-277] [CAPACITY-SCHEDULER 1.0.0 AUTO_CS_INSTANCE] ConfigurationService:333 - Got Error response from url : /api/v1/users/chitrartha_sur?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=v01eaedl). Response : { "status" : 403, "message" : "The authenticated user is not authorized to perform the requested operation" } org.apache.ambari.view.AmbariHttpException: { "status" : 403, "message" : "The authenticated user is not authorized to perform the requested operation" } at org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:135) at org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:123) at org.apache.ambari.server.view.ViewAmbariStreamProvider.readFrom(ViewAmbariStreamProvider.java:85) at org.apache.ambari.view.utils.ambari.AmbariApi.readFromAmbari(AmbariApi.java:130) at org.apache.ambari.view.capacityscheduler.ConfigurationService.isOperator(ConfigurationService.java:322) at org.apache.ambari.view.capacityscheduler.ConfigurationService.getPrivilege(ConfigurationService.java:239)
Root cause:
Currently After Fix of : https://issues.apache.org/jira/browse/AMBARI-14503 , I see Ambari Server is Converting AuthToLocal Changes for Usernames(Code : https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java#L233 )
and Yarn capacity Scheulder is calling this method (https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/contrib/views/capacity-scheduler/src/main/java/org/apache/ambari/view/capacityscheduler/ConfigurationService.java#L319) , Ambari Server rejects the Request Stating No Permission.
Ideally Yarn Capacity Scheduler should be calling : context. getLoggedinUser() instead of context. getUsername()