[
https://issues.apache.org/jira/browse/AMBARI-25139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Akhil Naik updated AMBARI-25139:
--------------------------------
Fix Version/s: trunk
> Yarn Capacity Scheduler Authorization issues due to AuthToLocal Rules
> ---------------------------------------------------------------------
>
> Key: AMBARI-25139
> URL: https://issues.apache.org/jira/browse/AMBARI-25139
> Project: Ambari
> Issue Type: Bug
> Components: ambari-views
> Affects Versions: 2.6.2, 2.7.3
> Reporter: Akhil Naik
> Assignee: Akhil Naik
> Priority: Major
> Labels: pull-request-available
> Fix For: trunk
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> Yarn Capacity Scheduler is having issues with authorization if AuthToLocal
> rules are enabled.
> Problem Statement : I am logging as LDAP User synced with ambari with my
> username contains spaces : For example : 'Akhil Naik' . the User is a Ambari
> Admin user.
> In Core-site.xml the AuthToLocal rules are set :
> {code:java}
> RULE:[1:$1](. *.*)s/ /_/g
> {code}
> it will display :
> *"Warning! You do not have permission to edit the Capacity Scheduler
> configuration. Contact your Cluster administrator."*
> and logs state :
> {code:java}
> The authenticated user is not authorized to perform the requested operation28
> Jan 2019 17:56:03,488 ERROR [ambari-client-thread-277] [CAPACITY-SCHEDULER
> 1.0.0 AUTO_CS_INSTANCE] ConfigurationService:333 - Got Error response from
> url :
> /api/v1/users/chitrartha_sur?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=v01eaedl).
> Response : {
> "status" : 403,
> "message" : "The authenticated user is not authorized to perform the
> requested operation"
> }
> org.apache.ambari.view.AmbariHttpException: {
> "status" : 403,
> "message" : "The authenticated user is not authorized to perform the
> requested operation"
> }
> at
> org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:135)
> at
> org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:123)
> at
> org.apache.ambari.server.view.ViewAmbariStreamProvider.readFrom(ViewAmbariStreamProvider.java:85)
> at
> org.apache.ambari.view.utils.ambari.AmbariApi.readFromAmbari(AmbariApi.java:130)
> at
> org.apache.ambari.view.capacityscheduler.ConfigurationService.isOperator(ConfigurationService.java:322)
> at
> org.apache.ambari.view.capacityscheduler.ConfigurationService.getPrivilege(ConfigurationService.java:239)
> {code}
> Root cause:
> Currently After Fix of : https://issues.apache.org/jira/browse/AMBARI-14503 ,
> I see Ambari Server is Converting AuthToLocal Changes for Usernames(Code :
> https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java#L233
> )
> and Yarn capacity Scheulder is calling this method
> (https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/contrib/views/capacity-scheduler/src/main/java/org/apache/ambari/view/capacityscheduler/ConfigurationService.java#L319)
> , Ambari Server rejects the Request Stating No Permission.
> *Ideally Yarn Capacity Scheduler should be calling : context.
> getLoggedinUser() instead of context. getUsername()*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
