Uploaded image for project: 'Hadoop Map/Reduce'
  1. Hadoop Map/Reduce
  2. MAPREDUCE-3470

Jobtracker sets permissions on mapred.system.dir to 700 preventing non-superusers from submitting jobs to multi-user cluster

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 0.20.205.0, 1.0.0
    • 1.2.0
    • jobtracker
    • None

    • Debian 6.0 x64_64
      java version "1.6.0_26"
      Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
      Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)

    Description

      (See thread discussing here - https://mail-archives.apache.org/mod_mbox/hadoop-common-user/201111.mbox/%3C4EBAC2B3.6090806@deri.org%3E)

      I have installed a hadoop 0.20.205.0 cluster for use by multiple users, each of which will submit their jobs from remote client systems. I have disabled security

      <property>
      <name>hadoop.security.authorization</name>
      <value>false</value>
      </property>

      <property>
      <name>hadoop.security.authentication</name>
      <value>simple</value>
      </property>

      When a user other than super-user attempts to submit a job, they get the following error

      11/11/09 16:32:53 INFO mapred.FileInputFormat: Total input paths to process : 2
      11/11/09 16:32:53 INFO mapred.JobClient: Running job: job_201111091731_0003
      11/11/09 16:32:54 INFO mapred.JobClient: map 0% reduce 0%
      11/11/09 16:32:54 INFO mapred.JobClient: Job complete: job_201111091731_0003
      11/11/09 16:32:54 INFO mapred.JobClient: Counters: 0
      11/11/09 16:32:54 INFO mapred.JobClient: Job Failed: Job initialization failed:
      org.apache.hadoop.security.AccessControlException: org.apache.hadoop.security.AccessControlException: Permission denied: user=smulcahy, access=EXECUTE, inode="system":hadoop:supergroup:rwx------
      .....

      which seems to be due to not being able to create a jobToken file in <mapred.system.dir>/<job id>/jobToken

      I can reset the permissions on mapred.system.dir to something like 777 but when I restart the jobtracker, it resets the permissions back to 700, requiring another permissions reset.

      This gives rise to a few questions,

      1. Should I be able to use a hadoop cluster in this fashion or is this not supported (if not, supported, I guess close this bug as invalid). If it is not supported, it reduces the usability of hadoop for a class of users like myself (but maybe thats a small class).
      2. If I should be able to use the cluster like this, should <mapred.system.dir>/<job id>/jobToken need to be created if security is disabled? If no, then I guess is the bug that needs to be fixed. If yes, then the jobtracker needs to be modified to allow everyone to create dirs in mapred.system.dir (or the method of creation of the jobToken file needs to be changed).

      Apologies if this was operator error but I didn't get much feedback on the mailing lists so not sure where/how else to raise this.

      Changed introduced in MAPREDUCE-2219

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MAPREDUCE-4451 fairscheduler fail to init job with kerberos authentication configured

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              smulcahy stephen mulcahy
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: