Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-10025 Various improvements in YARN log servlets
  3. YARN-10340

HsWebServices getContainerReport uses loginUser instead of remoteUser to access ApplicationClientProtocol

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      HsWebServices getContainerReport uses loginUser instead of remoteUser to access ApplicationClientProtocol

       

      http://<HS_IP>:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_000003/logs

      While accessing above link using systest user, the request fails saying mapred user does not have access to the job

       

      2020-07-06 14:02:59,178 WARN org.apache.hadoop.yarn.server.webapp.LogServlet: Could not obtain node HTTP address from provider.
javax.ws.rs.WebApplicationException: org.apache.hadoop.yarn.exceptions.YarnException: User mapred does not have privilege to see this application application_1593997842459_0214
        at org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getContainerReport(ClientRMService.java:516)
        at org.apache.hadoop.yarn.api.impl.pb.service.ApplicationClientProtocolPBServiceImpl.getContainerReport(ApplicationClientProtocolPBServiceImpl.java:466)
        at org.apache.hadoop.yarn.proto.ApplicationClientProtocol$ApplicationClientProtocolService$2.callBlockingMethod(ApplicationClientProtocol.java:639)
        at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:528)
        at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1070)
        at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:985)
        at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:913)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1876)
        at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2882)

        at org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowThrowable(WebServices.java:544)
        at org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowException(WebServices.java:530)
        at org.apache.hadoop.yarn.server.webapp.WebServices.getContainer(WebServices.java:405)
        at org.apache.hadoop.yarn.server.webapp.WebServices.getNodeHttpAddress(WebServices.java:373)
        at org.apache.hadoop.yarn.server.webapp.LogServlet.getContainerLogsInfo(LogServlet.java:268)
        at org.apache.hadoop.mapreduce.v2.hs.webapp.HsWebServices.getContainerLogs(HsWebServices.java:461)

      On Analyzing, found WebServices#getContainer uses doAs using UGI created by createRemoteUser(end user) to access RM#ApplicationClientProtocol which does not work. Need to use createProxyUser to do the same.

      Attachments

        Activity

          People

            tarunparimi Tarun Parimi
            prabhujoseph Prabhu Joseph
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: