Details
-
Sub-task
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
HsWebServices getContainerReport uses loginUser instead of remoteUser to access ApplicationClientProtocol
http://<HS_IP>:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_000003/logs
While accessing above link using systest user, the request fails saying mapred user does not have access to the job
2020-07-06 14:02:59,178 WARN org.apache.hadoop.yarn.server.webapp.LogServlet: Could not obtain node HTTP address from provider.
javax.ws.rs.WebApplicationException: org.apache.hadoop.yarn.exceptions.YarnException: User mapred does not have privilege to see this application application_1593997842459_0214
at org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getContainerReport(ClientRMService.java:516)
at org.apache.hadoop.yarn.api.impl.pb.service.ApplicationClientProtocolPBServiceImpl.getContainerReport(ApplicationClientProtocolPBServiceImpl.java:466)
at org.apache.hadoop.yarn.proto.ApplicationClientProtocol$ApplicationClientProtocolService$2.callBlockingMethod(ApplicationClientProtocol.java:639)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:528)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1070)
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:985)
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:913)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1876)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2882)
at org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowThrowable(WebServices.java:544)
at org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowException(WebServices.java:530)
at org.apache.hadoop.yarn.server.webapp.WebServices.getContainer(WebServices.java:405)
at org.apache.hadoop.yarn.server.webapp.WebServices.getNodeHttpAddress(WebServices.java:373)
at org.apache.hadoop.yarn.server.webapp.LogServlet.getContainerLogsInfo(LogServlet.java:268)
at org.apache.hadoop.mapreduce.v2.hs.webapp.HsWebServices.getContainerLogs(HsWebServices.java:461)
On Analyzing, found WebServices#getContainer uses doAs using UGI created by createRemoteUser(end user) to access RM#ApplicationClientProtocol which does not work. Need to use createProxyUser to do the same.