Uploaded image for project: 'Hadoop Map/Reduce'
  1. Hadoop Map/Reduce
  2. MAPREDUCE-3101 [Umbrella] Security issues in YARN
  3. MAPREDUCE-3623

Authorization of NM <=> RM with simple authentication mistakenly attempts kerberos when yarn.nodemanager.principal is defined

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 0.23.1, 2.0.0-alpha
    • Fix Version/s: None
    • Component/s: mrv2
    • Labels:
      None

      Description

      MAPREDUCE-3617 addresses the default values of yarn.nodemanager.principal and yarn.resourcemanager.principal

      I have enabled authorization with simple authentication. NM <=> RM still attempts kerberos authentication. If simple authentication is enabled yarn.nodemanager.principal and yarn.resourcemanager.principal values should be ignored and simple authentication should be used.

      core-site.xml snippet
        <property>
          <name>hadoop.security.authentication</name>
          <value>simple</value>
          <description></description>
        </property>
        <property>
          <name>hadoop.security.authorization</name>
          <value>true</value>
          <description></description>
        </property>
      
      yarn-site.xml snippet
      <property>
        <description>The Kerberos principal for the resource manager.</description>
        <name>yarn.resourcemanager.principal</name>
        <value>rm/sightbusy-lx@LOCALHOST</value>
      </property>
      <property>
        <description>The kerberos principal for the node manager.</description>
        <name>yarn.nodemanager.principal</name>
        <value>nm/sightbusy-lx@LOCALHOST</value>
      </property>
      
      nodemanager.out snippet
      2012-01-03 16:40:00,793 INFO  nodemanager.NodeStatusUpdaterImpl (NodeStatusUpdaterImpl.java:registerWithRM(176)) - Connected to ResourceManager at machine.example.com:8025
      2012-01-03 16:40:00,845 ERROR service.CompositeService (CompositeService.java:start(72)) - Error starting services org.apache.hadoop.yarn.server.nodemanager.NodeManager
      org.apache.avro.AvroRuntimeException: java.lang.reflect.UndeclaredThrowableException
          at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.start(NodeStatusUpdaterImpl.java:149)
          at org.apache.hadoop.yarn.service.CompositeService.start(CompositeService.java:68)
          at org.apache.hadoop.yarn.server.nodemanager.NodeManager.start(NodeManager.java:167)
          at org.apache.hadoop.yarn.server.nodemanager.NodeManager.main(NodeManager.java:242)
      Caused by: java.lang.reflect.UndeclaredThrowableException
          at org.apache.hadoop.yarn.server.api.impl.pb.client.ResourceTrackerPBClientImpl.registerNodeManager(ResourceTrackerPBClientImpl.java:66)
          at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.registerWithRM(NodeStatusUpdaterImpl.java:182)
          at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.start(NodeStatusUpdaterImpl.java:145)
          ... 3 more
      Caused by: com.google.protobuf.ServiceException: org.apache.hadoop.security.authorize.AuthorizationException: User user (auth:SIMPLE) is not authorized for protocol interface org.apache.hadoop.yarn.proto.ResourceTracker$ResourceTrackerService$BlockingInterface, expected client Kerberos principal is nm/sightbusy-lx@LOCALHOST
          at org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:139)
          at $Proxy24.registerNodeManager(Unknown Source)
          at org.apache.hadoop.yarn.server.api.impl.pb.client.ResourceTrackerPBClientImpl.registerNodeManager(ResourceTrackerPBClientImpl.java:59)
          ... 5 more
      Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User user (auth:SIMPLE) is not authorized for protocol interface org.apache.hadoop.yarn.proto.ResourceTracker$ResourceTrackerService$BlockingInterface, expected client Kerberos principal is nm/sightbusy-lx@LOCALHOST
          at org.apache.hadoop.ipc.Client.call(Client.java:1085)
          at org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:136)
          ... 7 more
      2012-01-03 16:40:00,846 WARN  event.AsyncDispatcher (AsyncDispatcher.java:run(78)) - AsyncDispatcher thread interrupted
      java.lang.InterruptedException
          at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:1961)
          at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1996)
          at java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:399)
          at org.apache.hadoop.yarn.event.AsyncDispatcher$1.run(AsyncDispatcher.java:76)
          at java.lang.Thread.run(Thread.java:662)
      2012-01-03 16:40:00,846 INFO  service.AbstractService (AbstractService.java:stop(75)) - Service:Dispatcher is stopped.
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ojoshi Omkar Vinit Joshi
                Reporter:
                jeagles Jonathan Eagles
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: