Uploaded image for project: 'Hadoop Map/Reduce'
  1. Hadoop Map/Reduce
  2. MAPREDUCE-3417

job access controls not working app master and job history UI's

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.23.0
    • Fix Version/s: 0.23.1
    • Component/s: mrv2
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Fixed job-access-controls to work with MR AM and JobHistoryServer web-apps.

      Description

      tested with security on, no filters defined for httpserver, job acls set so that only I could view/modify the job. Then went to the web ui to app master and job history server and both allowed me to view the job details. The webui shows the user "webuser". The RM properly rejected my request although it was using user "Dr.Who".

      The exception shown in the log is:
      11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
      11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user webuser
      org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user

      at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
      at org.apache.hadoop.util.Shell.run(Shell.java:188)
      at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
      at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
      at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
      at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
      at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
      at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
      at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
      at org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
      at org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
      at org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
      at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
      at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
      at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)

        Attachments

        1. MAPREDUCE-3417.patch
          12 kB
          Jonathan Eagles
        2. MAPREDUCE-3417.patch
          12 kB
          Jonathan Eagles
        3. MAPREDUCE-3417.patch
          14 kB
          Jonathan Eagles
        4. MAPREDUCE-3417.patch
          19 kB
          Jonathan Eagles
        5. MAPREDUCE-3417.patch
          19 kB
          Jonathan Eagles
        6. MAPREDUCE-3417.patch
          19 kB
          Jonathan Eagles
        7. MAPREDUCE-3417.patch
          17 kB
          Jonathan Eagles
        8. MAPREDUCE-3417.patch
          15 kB
          Jonathan Eagles

          Activity

            People

            • Assignee:
              jeagles Jonathan Eagles
              Reporter:
              tgraves Thomas Graves
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: