[PR] YARN-11836. Fixed AM log fetching with YARN CLI [hadoop]

via GitHub Thu, 17 Jul 2025 09:32:32 -0700


p-szucs opened a new pull request, #7813:
URL: https://github.com/apache/hadoop/pull/7813


   Change-Id: I04678a04503e01e67f1075f3fc543887cf80ac47
   
   <!--
     Thanks for sending a pull request!
       1. If this is your first time, please read our contributor guidelines: 
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
       2. Make sure your PR title starts with JIRA issue id, e.g., 
'HADOOP-17799. Your PR title ...'.
   -->
   
   ### Description of PR
   [YARN-10767](https://issues.apache.org/jira/browse/YARN-10767) introduced a 
bug, where YARN Logs CLI is unable to fetch the AM logs using "-am" option if 
the user is not in the Admin ACLs.
   
   This commit changed the logic for requesting the AM logs and it fetches the 
"id" of the active RM from the HA service, and requesting the logs from there.
   
   **Reproduction:**
   
   The issue can be reproduced by calling "yarn logs -applicationId ‹appId› -am 
1" command with a user who has not got admin access.
   
   In the RM logs of the test cluster I can see the following error, which 
states that the user doesn't have permission to call 'getServiceState':
   
   ```
   IPC Server handler 0 on default port 8033, call Call#3 Retry#0 
org.apache.hadoop.ha.HAServiceProtocol.getServiceStatus
   org.apache.hadoop.security.AccessControlException: User systest doesn't have 
permission to call 'getServiceState'
   at 
org.apache.hadoop.yarn.server.resourcemanager.RMServerUtils.verifyAdminAccess(RMServerUtils.java:433)
   at 
org.apache.hadoop.yarn.server.resourcemanager.RMServerUtils.verifyAdminAccess(RMServerUtils.java:398)
   at 
org.apache.hadoop.yarn.server.resourcemanager.AdminService.checkAccess(AdminService.java:243)
   at 
org.apache.hadoop.yarn.server.resourcemanager.AdminService.getServiceStatus(AdminService.java:396)
   at 
org.apache.hadoop.ha.protocolPB.HAServiceProtocolServerSideTranslatorPB.getServiceStatus(HAServiceProtocolServerSideTranslatorPB.java:148)
   at 
org.apache.hadoop.ha.proto.HAServiceProtocolProtos$HAServiceProtocolService$2.callBlockingMethod(HAServiceProtocolProtos.java:6154)
   at 
org.apache.hadoop.ipc.ProtobufRpcEngine2$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine2.java:621)
   at 
org.apache.hadoop.ipc.ProtobufRpcEngine2$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine2.java:589)
   at 
org.apache.hadoop.ipc.ProtobufRpcEngine2$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine2.java:573)
   at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1227)
   at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:1247)
   at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:1170)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAs(Subject.java:422)
   at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1964)
   at org.apache.hadoop.ipc.Server$Handler.run(Server.java:3200)
   ```
   
   Currently in WebAppUtils's execOnActiveRM method we throw an exception when 
RMHAUtils.findActiveRMHAId returns null 
[here](https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/util/WebAppUtils.java#L116),
 stating that "No active RM is available". However that method will return null 
if the permissions are missing to check the service states. I think at this 
point we could fall back to the original code here, and try to find the active 
RM by iterating through them. 
   
   The issue only happens in HA mode, and only if we use "-am" option, without 
this option the AM logs can be retrieved together with the aggregated logs.
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [x] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[PR] YARN-11836. Fixed AM log fetching with YARN CLI [hadoop]

Reply via email to