[ https://issues.apache.org/jira/browse/AMBARI-25139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Akhil Naik updated AMBARI-25139: -------------------------------- Fix Version/s: trunk > Yarn Capacity Scheduler Authorization issues due to AuthToLocal Rules > --------------------------------------------------------------------- > > Key: AMBARI-25139 > URL: https://issues.apache.org/jira/browse/AMBARI-25139 > Project: Ambari > Issue Type: Bug > Components: ambari-views > Affects Versions: 2.6.2, 2.7.3 > Reporter: Akhil Naik > Assignee: Akhil Naik > Priority: Major > Labels: pull-request-available > Fix For: trunk > > Time Spent: 2h 20m > Remaining Estimate: 0h > > Yarn Capacity Scheduler is having issues with authorization if AuthToLocal > rules are enabled. > Problem Statement : I am logging as LDAP User synced with ambari with my > username contains spaces : For example : 'Akhil Naik' . the User is a Ambari > Admin user. > In Core-site.xml the AuthToLocal rules are set : > {code:java} > RULE:[1:$1](. *.*)s/ /_/g > {code} > it will display : > *"Warning! You do not have permission to edit the Capacity Scheduler > configuration. Contact your Cluster administrator."* > and logs state : > {code:java} > The authenticated user is not authorized to perform the requested operation28 > Jan 2019 17:56:03,488 ERROR [ambari-client-thread-277] [CAPACITY-SCHEDULER > 1.0.0 AUTO_CS_INSTANCE] ConfigurationService:333 - Got Error response from > url : > /api/v1/users/chitrartha_sur?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=v01eaedl). > Response : { > "status" : 403, > "message" : "The authenticated user is not authorized to perform the > requested operation" > } > org.apache.ambari.view.AmbariHttpException: { > "status" : 403, > "message" : "The authenticated user is not authorized to perform the > requested operation" > } > at > org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:135) > at > org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:123) > at > org.apache.ambari.server.view.ViewAmbariStreamProvider.readFrom(ViewAmbariStreamProvider.java:85) > at > org.apache.ambari.view.utils.ambari.AmbariApi.readFromAmbari(AmbariApi.java:130) > at > org.apache.ambari.view.capacityscheduler.ConfigurationService.isOperator(ConfigurationService.java:322) > at > org.apache.ambari.view.capacityscheduler.ConfigurationService.getPrivilege(ConfigurationService.java:239) > {code} > Root cause: > Currently After Fix of : https://issues.apache.org/jira/browse/AMBARI-14503 , > I see Ambari Server is Converting AuthToLocal Changes for Usernames(Code : > https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java#L233 > ) > and Yarn capacity Scheulder is calling this method > (https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/contrib/views/capacity-scheduler/src/main/java/org/apache/ambari/view/capacityscheduler/ConfigurationService.java#L319) > , Ambari Server rejects the Request Stating No Permission. > *Ideally Yarn Capacity Scheduler should be calling : context. > getLoggedinUser() instead of context. getUsername()* -- This message was sent by Atlassian Jira (v8.3.4#803005)