[
https://issues.apache.org/jira/browse/HADOOP-8225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13424853#comment-13424853
]
Daryn Sharp commented on HADOOP-8225:
-------------------------------------
Actually, the fact that multiple projects need to make a similar change is
indicative of a bug in the core. The passing along of tokens should be an
invisible service provide by the hadoop security framework. Distcp and other
tools should not know or care whether it's being run via a real user, proxy
user, via oozie, or something else.
I briefly investigated a bit more, and the env var actually originates from UGI
which internally uses it to automatically load the tokens, hence tools should
not know about this internal implementation detail of UGI. I think the issue
is the tokens are being loaded into the login user instead of the real user. I
believe no tool will require changes if the UGI is modified to load the tokens
into the real user.
> DistCp fails when invoked by Oozie
> ----------------------------------
>
> Key: HADOOP-8225
> URL: https://issues.apache.org/jira/browse/HADOOP-8225
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 0.23.1
> Reporter: Mithun Radhakrishnan
> Attachments: HADOOP-8225.patch, HADOOP-8225.patch
>
>
> When DistCp is invoked through a proxy-user (e.g. through Oozie), the
> delegation-token-store isn't picked up by DistCp correctly. One sees failures
> such as:
> ERROR [main] org.apache.hadoop.tools.DistCp: Couldn't complete DistCp
> operation:
> java.lang.SecurityException: Intercepted System.exit(-999)
> at
> org.apache.oozie.action.hadoop.LauncherSecurityManager.checkExit(LauncherMapper.java:651)
> at java.lang.Runtime.exit(Runtime.java:88)
> at java.lang.System.exit(System.java:904)
> at org.apache.hadoop.tools.DistCp.main(DistCp.java:357)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.apache.oozie.action.hadoop.LauncherMapper.map(LauncherMapper.java:394)
> at org.apache.hadoop.mapred.MapRunner.run(MapRunner.java:54)
> at org.apache.hadoop.mapred.MapTask.runOldMapper(MapTask.java:399)
> at org.apache.hadoop.mapred.MapTask.run(MapTask.java:334)
> at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:147)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1177)
> at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:142)
> Looking over the DistCp code, one sees that HADOOP_TOKEN_FILE_LOCATION isn't
> being copied to mapreduce.job.credentials.binary, in the job-conf. I'll post
> a patch for this shortly.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
