Uploaded image for project: 'Hadoop Map/Reduce'
  1. Hadoop Map/Reduce
  2. MAPREDUCE-3101 [Umbrella] Security issues in YARN
  3. MAPREDUCE-3623

Authorization of NM <=> RM with simple authentication mistakenly attempts kerberos when yarn.nodemanager.principal is defined

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 0.23.1, 2.0.0-alpha
    • None
    • mrv2
    • None

    Description

      MAPREDUCE-3617 addresses the default values of yarn.nodemanager.principal and yarn.resourcemanager.principal

      I have enabled authorization with simple authentication. NM <=> RM still attempts kerberos authentication. If simple authentication is enabled yarn.nodemanager.principal and yarn.resourcemanager.principal values should be ignored and simple authentication should be used.

      core-site.xml snippet
        <property>
    <name>hadoop.security.authentication</name>
    <value>simple</value>
    <description></description>
  </property>
  <property>
    <name>hadoop.security.authorization</name>
    <value>true</value>
    <description></description>
  </property>
      yarn-site.xml snippet
      <property>
  <description>The Kerberos principal for the resource manager.</description>
  <name>yarn.resourcemanager.principal</name>
  <value>rm/sightbusy-lx@LOCALHOST</value>
</property>
<property>
  <description>The kerberos principal for the node manager.</description>
  <name>yarn.nodemanager.principal</name>
  <value>nm/sightbusy-lx@LOCALHOST</value>
</property>
      nodemanager.out snippet
      2012-01-03 16:40:00,793 INFO  nodemanager.NodeStatusUpdaterImpl (NodeStatusUpdaterImpl.java:registerWithRM(176)) - Connected to ResourceManager at machine.example.com:8025
2012-01-03 16:40:00,845 ERROR service.CompositeService (CompositeService.java:start(72)) - Error starting services org.apache.hadoop.yarn.server.nodemanager.NodeManager
org.apache.avro.AvroRuntimeException: java.lang.reflect.UndeclaredThrowableException
    at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.start(NodeStatusUpdaterImpl.java:149)
    at org.apache.hadoop.yarn.service.CompositeService.start(CompositeService.java:68)
    at org.apache.hadoop.yarn.server.nodemanager.NodeManager.start(NodeManager.java:167)
    at org.apache.hadoop.yarn.server.nodemanager.NodeManager.main(NodeManager.java:242)
Caused by: java.lang.reflect.UndeclaredThrowableException
    at org.apache.hadoop.yarn.server.api.impl.pb.client.ResourceTrackerPBClientImpl.registerNodeManager(ResourceTrackerPBClientImpl.java:66)
    at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.registerWithRM(NodeStatusUpdaterImpl.java:182)
    at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.start(NodeStatusUpdaterImpl.java:145)
    ... 3 more
Caused by: com.google.protobuf.ServiceException: org.apache.hadoop.security.authorize.AuthorizationException: User user (auth:SIMPLE) is not authorized for protocol interface org.apache.hadoop.yarn.proto.ResourceTracker$ResourceTrackerService$BlockingInterface, expected client Kerberos principal is nm/sightbusy-lx@LOCALHOST
    at org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:139)
    at $Proxy24.registerNodeManager(Unknown Source)
    at org.apache.hadoop.yarn.server.api.impl.pb.client.ResourceTrackerPBClientImpl.registerNodeManager(ResourceTrackerPBClientImpl.java:59)
    ... 5 more
Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User user (auth:SIMPLE) is not authorized for protocol interface org.apache.hadoop.yarn.proto.ResourceTracker$ResourceTrackerService$BlockingInterface, expected client Kerberos principal is nm/sightbusy-lx@LOCALHOST
    at org.apache.hadoop.ipc.Client.call(Client.java:1085)
    at org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:136)
    ... 7 more
2012-01-03 16:40:00,846 WARN  event.AsyncDispatcher (AsyncDispatcher.java:run(78)) - AsyncDispatcher thread interrupted
java.lang.InterruptedException
    at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:1961)
    at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1996)
    at java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:399)
    at org.apache.hadoop.yarn.event.AsyncDispatcher$1.run(AsyncDispatcher.java:76)
    at java.lang.Thread.run(Thread.java:662)
2012-01-03 16:40:00,846 INFO  service.AbstractService (AbstractService.java:stop(75)) - Service:Dispatcher is stopped.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-9444 $var shell substitution in properties are not expanded in hadoop-policy.xml

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              ojoshi Omkar Vinit Joshi
              jeagles Jonathan Turner Eagles
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: