Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: 0.21.0
-
Fix Version/s: 0.21.0
-
Component/s: security
-
Labels:None
-
Hadoop Flags:Reviewed
-
Release Note:Fixed a bug that caused all the AdminOperationsProtocol operations to fail when service-level authorization is enabled. The problem is solved by registering AdminOperationsProtocol also with MapReducePolicyProvider.
Description
If service-level authorization enabled (i.e hadoop.security.authorization set to true) for MapReduce then refreshing the node and queue fails with the following message
Protocol interface org.apache.hadoop.mapred.AdminOperationsProtocol is not known.
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Attaching patch for yahoo! dist on behalf of Amar. Not for commit here.
Attaching a patch for trunk. test-patch and ant-tests passed.
I think this definitely is a blocker for 0.21.
The trunk patch applies cleanly to trunk and branch-0.21. Running through husdon.
+1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12439356/mr-1611-v1.0.patch
against trunk revision 940740.
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 3 new or modified tests.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 findbugs. The patch does not introduce any new Findbugs warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed core unit tests.
+1 contrib tests. The patch passed contrib unit tests.
Test results: http://hudson.zones.apache.org/hudson/job/Mapreduce-Patch-h4.grid.sp2.yahoo.net/163/testReport/
Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Mapreduce-Patch-h4.grid.sp2.yahoo.net/163/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Checkstyle results: http://hudson.zones.apache.org/hudson/job/Mapreduce-Patch-h4.grid.sp2.yahoo.net/163/artifact/trunk/build/test/checkstyle-errors.html
Console output: http://hudson.zones.apache.org/hudson/job/Mapreduce-Patch-h4.grid.sp2.yahoo.net/163/console
This message is automatically generated.
Patch looks good. I also ran a single node test to verify refresh queues, it passes. Going to commit this..
Just committed this to trunk. Having minor problems merging the changes to 0.21, asking Sharad's help..
Committed to trunk and 0.21 branch. Thanks Amar!
ServiceAuthorizationManager authorizes users against the ACLs specified for the protocol used. With service level authorization enabled, when a user tries to refresh the nodes at the JobTracker, ServiceAuthorizationManager tries to authorize the user against the ACL specified for AdminOperationsProtocol. For MapReduce, the list of protocols to be authorized is provided by MapReducePolicyProvider. MapReducePolicyProvider doesnt list AdminOperationsProtocol causing 'refreshNodes' to fail.