[jira] [Updated] (TEZ-1640) Unable to achieve Secured Impersonation

Thu, 09 Oct 2014 08:21:59 -0700 

     [ 
https://issues.apache.org/jira/browse/TEZ-1640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Subroto Sanyal updated TEZ-1640:
--------------------------------
    Attachment: client_log.txt
                app_master_syslog.txt

hi [~bikassaha],

Attached the client and app master log.
My client run as _subroto_ and I start the _DagAppmaster_ (TezClient) as _qa_ 
(via the UGI.createProxyUser code).
I can see that the _DagAppmaster_ is running as user _qa_ on _ResourceManager_ 
UI. _qa_ invokes _waitTillReady_ on _TezClient_ and ends up with the exceptions.

> Unable to achieve Secured Impersonation
> ---------------------------------------
>
>                 Key: TEZ-1640
>                 URL: https://issues.apache.org/jira/browse/TEZ-1640
>             Project: Apache Tez
>          Issue Type: Bug
>    Affects Versions: 0.5.0
>            Reporter: Subroto Sanyal
>         Attachments: app_master_syslog.txt, client_log.txt
>
>
> My client is running with user "subroto" and following are the entries in the 
> xmls:
> {code:xml|title=core-site.xml|borderStyle=solid}
>                <property>
>                 <name>hadoop.proxyuser.subroto.groups</name>
>                 <value>impersonatedgroup</value>
>                 </property>
>                <property>
>                 <name>hadoop.proxyuser.subroto.hosts</name>
>                 <value>*</value>
>                </property>
> {code}
> I have a user _qa_ which belongs to the the group _impersonatedgroup_ .
> Following is the code to launch the DAGAppMaster
> {code:java|title=TezClientWrapper.java|borderStyle=solid}
> TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new 
> PrivilegedExceptionAction<TezClient>() {
>                 @Override
>                 public TezClient run() throws Exception {
>                     final TezConfiguration tezConf = createTezConf(conf, 
> jobContext);
>                     if (amSpecificProperties != null) {
>                         applyAmSpecificProperties(tezConf, 
> amSpecificProperties);
>                     }
>                     UserGroupInformation currentUser = 
> UserGroupInformation.getCurrentUser();
>                     LOG.info("Current User:" + currentUser);
>                     File tokenFile = new 
> File(System.getProperty("java.io.tmpdir"), 
> tezSessionName.replaceAll("[^a-zA-Z0-9]", ""));
>                     LOG.info("Token File:" + tokenFile.getAbsolutePath());
>                     
> currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()),
>  conf);
>                     tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, 
> tokenFile.getAbsolutePath());
>                     TezClient tezClient = TezClient.create(tezSessionName, 
> tezConf, createSession, localResourceMap, currentUser.getCredentials());
>                     
> tezClient.setAppMasterCredentials(currentUser.getCredentials());
>                     tezClient.start();
>                     tezClient.waitTillReady();
>                     return tezClient;
>                 }
>             });{code}
> The logs so obtained from this piece of code execution is:
> {noformat}Current User:qa (auth:PROXY) via [email protected] 
> (auth:KERBEROS){noformat}
> The  code piece fails in: _tezClient.waitTillReady();_
> From the Resource Manager UI I can see that a application is launched with 
> user _qa_.
> Failure stack-trace:
> {noformat}
>  (UserGroupInformation.java:1551) - PriviledgedActionException as:qa 
> (auth:SIMPLE) cause:java.io.IOException: 
> org.apache.hadoop.security.AccessControlException: Client cannot authenticate 
> via:[TOKEN, KERBEROS]
> Failed to retrieve AM Status via proxy
> com.google.protobuf.ServiceException: java.io.IOException: Failed on local 
> exception: java.io.IOException: 
> org.apache.hadoop.security.AccessControlException: Client cannot authenticate 
> via:[TOKEN, KERBEROS]; Host Details : local host is: 
> "ip-10-178-144-254/10.178.144.254"; destination host is: 
> "ip-10-187-33-206":56660;
>         at 
> org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216)
>         at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source)
>         at 
> org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522)
>         at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597)
>         at test.app.TezClientWrapper$1.run(TezClientFacade.java:146)
>         at test.app.TezClientWrapper$1.run(TezClientFacade.java:130)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:396)
>         at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
>         at test.app.Security.doAs(Security.java:65)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to