Hadoop Map/Reduce
  1. Hadoop Map/Reduce
  2. MAPREDUCE-3417

job access controls not working app master and job history UI's


    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.23.0
    • Fix Version/s: 0.23.1
    • Component/s: mrv2
    • Labels:
    • Target Version/s:
    • Hadoop Flags:
    • Release Note:
      Fixed job-access-controls to work with MR AM and JobHistoryServer web-apps.


      tested with security on, no filters defined for httpserver, job acls set so that only I could view/modify the job. Then went to the web ui to app master and job history server and both allowed me to view the job details. The webui shows the user "webuser". The RM properly rejected my request although it was using user "Dr.Who".

      The exception shown in the log is:
      11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
      11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user webuser
      org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user

      at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
      at org.apache.hadoop.util.Shell.run(Shell.java:188)
      at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
      at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
      at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
      at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
      at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
      at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
      at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
      at org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
      at org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
      at org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
      at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
      at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
      at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)

      1. MAPREDUCE-3417.patch
        12 kB
        Jonathan Eagles
      2. MAPREDUCE-3417.patch
        12 kB
        Jonathan Eagles
      3. MAPREDUCE-3417.patch
        14 kB
        Jonathan Eagles
      4. MAPREDUCE-3417.patch
        19 kB
        Jonathan Eagles
      5. MAPREDUCE-3417.patch
        19 kB
        Jonathan Eagles
      6. MAPREDUCE-3417.patch
        19 kB
        Jonathan Eagles
      7. MAPREDUCE-3417.patch
        17 kB
        Jonathan Eagles
      8. MAPREDUCE-3417.patch
        15 kB
        Jonathan Eagles


        No work has yet been logged on this issue.


          • Assignee:
            Jonathan Eagles
            Thomas Graves
          • Votes:
            0 Vote for this issue
            2 Start watching this issue


            • Created: