[jira] [Created] (AMBARI-23984) ResourceManager Web UI alert leads to frequent group mapping lookups in RM

Wed, 30 May 2018 10:33:32 -0700 

Tarun Parimi created AMBARI-23984:
-------------------------------------

             Summary: ResourceManager Web UI alert leads to frequent group 
mapping lookups in RM 
                 Key: AMBARI-23984
                 URL: https://issues.apache.org/jira/browse/AMBARI-23984
             Project: Ambari
          Issue Type: Bug
          Components: alerts
    Affects Versions: 2.6.0
            Reporter: Tarun Parimi


In YARN ResourceManager(RM)  log, I see group mapping lookup performed for HTTP 
user every minute.
{code:java}
2018-05-23 10:47:22,537 WARN security.ShellBasedUnixGroupsMapping 
(ShellBasedUnixGroupsMapping.java:getUnixGroups(87)) - got exception trying to 
get groups for user HTTP: id: HTTP: no such user 
2018-05-23 10:48:22,228 WARN security.ShellBasedUnixGroupsMapping 
(ShellBasedUnixGroupsMapping.java:getUnixGroups(87)) - got exception trying to 
get groups for user HTTP: id: HTTP: no such user 
2018-05-23 10:49:22,330 WARN security.ShellBasedUnixGroupsMapping 
(ShellBasedUnixGroupsMapping.java:getUnixGroups(87)) - got exception trying to 
get groups for user HTTP: id: HTTP: no such user 
{code}
Identified that it is due to *ResourceManager Web UI* alert due to the reasons 
mentioned in AMBARI-23026 .

But this WARN message is not present in Namenode logs even though *NameNode Web 
UI* alert is configured with the same HTTP principal.

The difference in RM is that the 
*{\{yarn-site/yarn.resourcemanager.webapp.address}}* configured will by default 
fetch the RM applications page. To serve this page, the RM has to fetch all its 
applications (default:10000) and performs ACL checks  on whether the user 
requesting the page can view the application.

So requesting the default page of RM every one minute can result in group 
mapping lookups and also multiple entries in Ranger audit logs if Ranger Yarn 
Plugin is configured.

To avoid these unnecessary overheads, we should change the http/s uri property 
to something like  
"\{{yarn-site/yarn.resourcemanager.webapp.address}}/cluster/cluster". This url 
will not need any group mapping lookups or ACL checks. This will avoid the 
above problems and the http request done for the alert will be much faster.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to