Hadoop Common
  1. Hadoop Common
  2. HADOOP-6634

AccessControlList uses full-principal names to verify acls causing queue-acls to fail

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.21.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      ACL configuration so far was using short user-names. With the changed UserGroupInformation, short names are different from the long fully-qualified names. AccessControlList continues to use UserGroupInformation.getUserName() for verifying access control. Because of this, queue acls fail for a user "user@domain.org" even though the short name "user" is part of the acl configuration.

      1. HADOOP-6634-20100428.txt
        4 kB
        Vinod Kumar Vavilapalli
      2. HADOOP-6634-20100317-ydist.1.txt
        4 kB
        Vinod Kumar Vavilapalli

        Activity

        Hide
        Vinod Kumar Vavilapalli added a comment -

        Lee hit the bug in one of the deployments with the new security fixes, and Hemanth cornered out the bug. Thanks to both!

        Show
        Vinod Kumar Vavilapalli added a comment - Lee hit the bug in one of the deployments with the new security fixes, and Hemanth cornered out the bug. Thanks to both!
        Hide
        Allen Wittenauer added a comment -

        Hopefully ACLs will get updated to support both plain "user" and a principal name. This way we could force automated jobs that use cron/user (or whatever) to go to a special queue vs. ad hoc queries going to a different queue.

        Show
        Allen Wittenauer added a comment - Hopefully ACLs will get updated to support both plain "user" and a principal name. This way we could force automated jobs that use cron/user (or whatever) to go to a special queue vs. ad hoc queries going to a different queue.
        Hide
        Vinod Kumar Vavilapalli added a comment -

        Patch for yahoo dist. Not for commit here. This only supports short user-names.

        Show
        Vinod Kumar Vavilapalli added a comment - Patch for yahoo dist. Not for commit here. This only supports short user-names.
        Hide
        Vinod Kumar Vavilapalli added a comment -

        Hopefully ACLs will get updated to support both plain "user" and a principal name.

        @Allen, I talked to Devaraj about this as he has deeper context. As he says, supporting is not straightforward implementation-wise and needs more involved changes. The current issue tracks a bug which completely causes queue-acls to fail. So I propose we only fix this bug here and track the support for both plain user and long principal names in another JIRA issue. Does that work?

        Show
        Vinod Kumar Vavilapalli added a comment - Hopefully ACLs will get updated to support both plain "user" and a principal name. @Allen, I talked to Devaraj about this as he has deeper context. As he says, supporting is not straightforward implementation-wise and needs more involved changes. The current issue tracks a bug which completely causes queue-acls to fail. So I propose we only fix this bug here and track the support for both plain user and long principal names in another JIRA issue. Does that work?
        Hide
        Allen Wittenauer added a comment -

        That's totally cool with me.

        Show
        Allen Wittenauer added a comment - That's totally cool with me.
        Hide
        Vinod Kumar Vavilapalli added a comment -

        Patch for trunk. The testcase change should serve as both verifying the patch as well as a regression test.

        Show
        Vinod Kumar Vavilapalli added a comment - Patch for trunk. The testcase change should serve as both verifying the patch as well as a regression test.
        Hide
        Vinod Kumar Vavilapalli added a comment -

        Running it through Hudson.

        Show
        Vinod Kumar Vavilapalli added a comment - Running it through Hudson.
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12443050/HADOOP-6634-20100428.txt
        against trunk revision 938788.

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 3 new or modified tests.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/60/testReport/
        Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/60/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/60/artifact/trunk/build/test/checkstyle-errors.html
        Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/60/console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12443050/HADOOP-6634-20100428.txt against trunk revision 938788. +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/60/testReport/ Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/60/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/60/artifact/trunk/build/test/checkstyle-errors.html Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h1.grid.sp2.yahoo.net/60/console This message is automatically generated.
        Hide
        Ravi Gummadi added a comment -

        Patch for trunk looks good.
        +1

        Show
        Ravi Gummadi added a comment - Patch for trunk looks good. +1
        Hide
        Sharad Agarwal added a comment -

        I just committed this. Thanks Vinod.

        Show
        Sharad Agarwal added a comment - I just committed this. Thanks Vinod.

          People

          • Assignee:
            Vinod Kumar Vavilapalli
            Reporter:
            Vinod Kumar Vavilapalli
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development