[jira] [Created] (HDDS-5193) Permission Deny when using auth:TOKEN

Pakapoj Tulsuk (Jira) Thu, 06 May 2021 21:49:21 -0700

Pakapoj Tulsuk created HDDS-5193:
------------------------------------

             Summary: Permission Deny when using auth:TOKEN
                 Key: HDDS-5193
                 URL: https://issues.apache.org/jira/browse/HDDS-5193
             Project: Apache Ozone
          Issue Type: Bug
          Components: OM
    Affects Versions: 1.1.0
         Environment: A Ozone (version 1.1 build from source) cluster with 3 
master 3 datanode deploy on baremetal(VMs) running CentOS 7


 
            Reporter: Pakapoj Tulsuk
         Attachments: ozone-client-kerberos.log, ozone-client-token.log, 
ozone-java-client.java

Hi I’m got stuck on the permission issue where I gonna write the data, a text 
file to a ozone path {{/vol1/bucket1/mykey}} * with {{auth:KERBEROS}} It be 
able to complete the task

2021-04-29 11:49:01,145 [Socket Reader #1 for port 9862] INFO 
SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for 
[email protected] (auth:KERBEROS) from ip.ip.ip.ip:40294 *  with 
{{auth:TOKEN}} It got stuck on this error despite the given permission to 
{{/vol1}}  {{/bucket1}} see below

2021-04-29 11:49:08,327 [Socket Reader #1 for port 9862] INFO 
SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for 
[email protected] (auth:TOKEN) from ip.ip.ip.ip:40412
2021-04-29 11:49:12,228 [Socket Reader #1 for port 9862] INFO 
SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for 
[email protected] (auth:TOKEN) from ip.ip.ip.ip:35266
2021-04-29 11:49:14,671 [OM StateMachine ApplyTransaction Thread - 0] WARN 
org.apache.hadoop.ozone.om.OzoneManager: User [email protected] doesn't have 
WRITE permission to access key 
/vol1/bucket1/mykey/_temporary/0/_temporary/attempt_202104290449105826106778232640855_0000_m_000000_0/part-00000-9f9c4fcc-5e96-43ee-b53e-913a06729109-c000.txt/106146807974133768
2021-04-29 11:49:14,672 [OM StateMachine ApplyTransaction Thread - 0] ERROR 
org.apache.hadoop.ozone.om.request.key.OMKeyCommitRequest: Key commit failed. 
Volume:vol1, Bucket:bucket1, 
Key:mykey/_temporary/0/_temporary/attempt_202104290449105826106778232640855_0000_m_000000_0/part-00000-9f9c4fcc-5e96-43ee-b53e-913a06729109-c000.txt.
PERMISSION_DENIED org.apache.hadoop.ozone.om.exceptions.OMException: User 
[email protected] doesn't have WRITE permission to access key vol1 bucket1 
mykey/_temporary/0/_temporary/attempt_202104290449105826106778232640855_0000_m_000000_0/part-00000-9f9c4fcc-5e96-43ee-b53e-913a06729109-c000.txt/106146807974133768
        at 
org.apache.hadoop.ozone.om.OzoneManager.checkAcls(OzoneManager.java:1803)
        at 
org.apache.hadoop.ozone.om.request.OMClientRequest.checkAcls(OMClientRequest.java:207)
        at 
org.apache.hadoop.ozone.om.request.OMClientRequest.checkAcls(OMClientRequest.java:185)
        at 
org.apache.hadoop.ozone.om.request.key.OMKeyRequest.checkKeyAcls(OMKeyRequest.java:437)
        at 
org.apache.hadoop.ozone.om.request.key.OMKeyRequest.checkKeyAclsInOpenKeyTable(OMKeyRequest.java:485)
        at 
org.apache.hadoop.ozone.om.request.key.OMKeyCommitRequest.validateAndUpdateCache(OMKeyCommitRequest.java:139)
        at 
org.apache.hadoop.ozone.protocolPB.OzoneManagerRequestHandler.handleWriteRequest(OzoneManagerRequestHandler.java:227)
        at 
org.apache.hadoop.ozone.om.ratis.OzoneManagerStateMachine.runCommand(OzoneManagerStateMachine.java:415)
        at 
org.apache.hadoop.ozone.om.ratis.OzoneManagerStateMachine.lambda$applyTransaction$1(OzoneManagerStateMachine.java:240)
        at 
java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1604)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748) 
*Given Permission*
$ ozone sh vol getacl /vol1/
[ {
  "type" : "USER",
  "name" : "pakapoj_tul",
  "aclScope" : "ACCESS",
  "aclList" : [ "WRITE", "ALL" ]
}, {
  "type" : "USER",
  "name" : "[email protected]",
  "aclScope" : "ACCESS",
  "aclList" : [ "WRITE", "ALL" ]
}, {
  "type" : "USER",
  "name" : "[email protected]",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "ozone-admin",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "ozone-users",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
} ]
$ ozone sh bucket getacl /vol1/bucket1/
[ {
  "type" : "USER",
  "name" : "[email protected]",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "ozone-admin",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "ozone-users",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "USER",
  "name" : "[email protected]",
  "aclScope" : "ACCESS",
  "aclList" : [ "WRITE", "ALL" ]
}, {
  "type" : "USER",
  "name" : "pakapoj_tul",
  "aclScope" : "ACCESS",
  "aclList" : [ "WRITE", "ALL" ]
} ]
$ ozone sh key getacl /vol1/bucket1/mykey/
[ {
  "type" : "USER",
  "name" : "[email protected]",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "ozone-admin",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "GROUP",
  "name" : "ozone-users",
  "aclScope" : "ACCESS",
  "aclList" : [ "ALL" ]
}, {
  "type" : "USER",
  "name" : "[email protected]",
  "aclScope" : "ACCESS",
  "aclList" : [ "WRITE", "ALL" ]
}, {
  "type" : "USER",
  "name" : "pakapoj_tul",
  "aclScope" : "ACCESS",
  "aclList" : [ "WRITE", "ALL" ]
} ]
 
The spark code was deployed in Kubernetes in spark cluster mode. Then, the 
error would happed on spark executors side when the do {{commitKey}} with 
{{auth:TOKEN}} , BTW the spark driver was using {{auth:KERBEROS}} .
 
so I reproduce using ozone java client writing to ozone with {{OzoneClient}} 
using # Token by {{export HADOOP_TOKEN_FILE_LOCATION=credential/ozone.token}} 
before running the program
 # Keytab by running {{/usr/bin/kinit -kt credential/pakapoj_tul.keytab 
[email protected]}} before running the program

the code, output for #1 and #2 (DEBUG) is in attach
 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (HDDS-5193) Permission Deny when using auth:TOKEN

Reply via email to