[jira] [Commented] (TEZ-1640) Unable to achieve Secured Impersonation

Wed, 08 Oct 2014 13:03:06 -0700 

    [ 
https://issues.apache.org/jira/browse/TEZ-1640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14164064#comment-14164064
 ] 

Bikas Saha commented on TEZ-1640:
---------------------------------

Can you please clarify/confirm the following

Your client runs as foo.
Your client starts TezClient as effective user bar (via the UGI.createProxyUser 
code).
This causes Tezclient to start the AM as user bar.
AM runs as user bar.
TezClient (running as effective bar) tries to contact the AM running as bar
TezClient gets error.

If the answer is yes to all of the above then please attach the client side and 
AM logs. Could you please enabled debug logging on both the client and the AM.


> Unable to achieve Secured Impersonation
> ---------------------------------------
>
>                 Key: TEZ-1640
>                 URL: https://issues.apache.org/jira/browse/TEZ-1640
>             Project: Apache Tez
>          Issue Type: Bug
>    Affects Versions: 0.5.0
>            Reporter: Subroto Sanyal
>
> My client is running with user "subroto" and following are the entries in the 
> xmls:
> {code:xml|title=core-site.xml|borderStyle=solid}
>                <property>
>                 <name>hadoop.proxyuser.subroto.groups</name>
>                 <value>impersonatedgroup</value>
>                 </property>
>                <property>
>                 <name>hadoop.proxyuser.subroto.hosts</name>
>                 <value>*</value>
>                </property>
> {code}
> I have a user _qa_ which belongs to the the group _impersonatedgroup_ .
> Following is the code to launch the DAGAppMaster
> {code:java|title=TezClientWrapper.java|borderStyle=solid}
> TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new 
> PrivilegedExceptionAction<TezClient>() {
>                 @Override
>                 public TezClient run() throws Exception {
>                     final TezConfiguration tezConf = createTezConf(conf, 
> jobContext);
>                     if (amSpecificProperties != null) {
>                         applyAmSpecificProperties(tezConf, 
> amSpecificProperties);
>                     }
>                     UserGroupInformation currentUser = 
> UserGroupInformation.getCurrentUser();
>                     LOG.info("Current User:" + currentUser);
>                     File tokenFile = new 
> File(System.getProperty("java.io.tmpdir"), 
> tezSessionName.replaceAll("[^a-zA-Z0-9]", ""));
>                     LOG.info("Token File:" + tokenFile.getAbsolutePath());
>                     
> currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()),
>  conf);
>                     tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, 
> tokenFile.getAbsolutePath());
>                     TezClient tezClient = TezClient.create(tezSessionName, 
> tezConf, createSession, localResourceMap, currentUser.getCredentials());
>                     
> tezClient.setAppMasterCredentials(currentUser.getCredentials());
>                     tezClient.start();
>                     tezClient.waitTillReady();
>                     return tezClient;
>                 }
>             });{code}
> The logs so obtained from this piece of code execution is:
> {noformat}Current User:qa (auth:PROXY) via [email protected] 
> (auth:KERBEROS){noformat}
> The  code piece fails in: _tezClient.waitTillReady();_
> From the Resource Manager UI I can see that a application is launched with 
> user _qa_.
> Failure stack-trace:
> {noformat}
>  (UserGroupInformation.java:1551) - PriviledgedActionException as:qa 
> (auth:SIMPLE) cause:java.io.IOException: 
> org.apache.hadoop.security.AccessControlException: Client cannot authenticate 
> via:[TOKEN, KERBEROS]
> Failed to retrieve AM Status via proxy
> com.google.protobuf.ServiceException: java.io.IOException: Failed on local 
> exception: java.io.IOException: 
> org.apache.hadoop.security.AccessControlException: Client cannot authenticate 
> via:[TOKEN, KERBEROS]; Host Details : local host is: 
> "ip-10-178-144-254/10.178.144.254"; destination host is: 
> "ip-10-187-33-206":56660;
>         at 
> org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216)
>         at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source)
>         at 
> org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522)
>         at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597)
>         at test.app.TezClientWrapper$1.run(TezClientFacade.java:146)
>         at test.app.TezClientWrapper$1.run(TezClientFacade.java:130)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:396)
>         at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
>         at test.app.Security.doAs(Security.java:65)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to