[
https://issues.apache.org/jira/browse/MAPREDUCE-3470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13157087#comment-13157087
]
stephen mulcahy commented on MAPREDUCE-3470:
--------------------------------------------
Hi, sorry, I thought MAPREDUCE-2219 had introduced the permissions check on
mapred.system.dir (resetting it to 700 on jobtracker startup) but I didn't read
it closely enough. You are correct, it is not the cause of this.
I think a potential solution is to have the jobtracker not reset the
permissions on mapred.system.dir on startup although there may be other good
reasons to have the permissions set the way they are.
> Jobtracker sets permissions on mapred.system.dir to 700 preventing
> non-superusers from submitting jobs to multi-user cluster
> ----------------------------------------------------------------------------------------------------------------------------
>
> Key: MAPREDUCE-3470
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-3470
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: jobtracker
> Affects Versions: 0.20.205.0
> Environment: Debian 6.0 x64_64
> java version "1.6.0_26"
> Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
> Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
> Reporter: stephen mulcahy
>
> (See thread discussing here -
> https://mail-archives.apache.org/mod_mbox/hadoop-common-user/201111.mbox/%[email protected]%3E)
> I have installed a hadoop 0.20.205.0 cluster for use by multiple users, each
> of which will submit their jobs from remote client systems. I have disabled
> security
> <property>
> <name>hadoop.security.authorization</name>
> <value>false</value>
> </property>
> <property>
> <name>hadoop.security.authentication</name>
> <value>simple</value>
> </property>
> When a user other than super-user attempts to submit a job, they get the
> following error
> 11/11/09 16:32:53 INFO mapred.FileInputFormat: Total input paths to process :
> 2
> 11/11/09 16:32:53 INFO mapred.JobClient: Running job: job_201111091731_0003
> 11/11/09 16:32:54 INFO mapred.JobClient: map 0% reduce 0%
> 11/11/09 16:32:54 INFO mapred.JobClient: Job complete: job_201111091731_0003
> 11/11/09 16:32:54 INFO mapred.JobClient: Counters: 0
> 11/11/09 16:32:54 INFO mapred.JobClient: Job Failed: Job initialization
> failed:
> org.apache.hadoop.security.AccessControlException:
> org.apache.hadoop.security.AccessControlException: Permission denied:
> user=smulcahy, access=EXECUTE, inode="system":hadoop:supergroup:rwx------
> .....
> which seems to be due to not being able to create a jobToken file in
> <mapred.system.dir>/<job id>/jobToken
> I can reset the permissions on mapred.system.dir to something like 777 but
> when I restart the jobtracker, it resets the permissions back to 700,
> requiring another permissions reset.
> This gives rise to a few questions,
> 1. Should I be able to use a hadoop cluster in this fashion or is this not
> supported (if not, supported, I guess close this bug as invalid). If it is
> not supported, it reduces the usability of hadoop for a class of users like
> myself (but maybe thats a small class).
> 2. If I should be able to use the cluster like this, should
> <mapred.system.dir>/<job id>/jobToken need to be created if security is
> disabled? If no, then I guess is the bug that needs to be fixed. If yes, then
> the jobtracker needs to be modified to allow everyone to create dirs in
> mapred.system.dir (or the method of creation of the jobToken file needs to be
> changed).
> Apologies if this was operator error but I didn't get much feedback on the
> mailing lists so not sure where/how else to raise this.
> Changed introduced in MAPREDUCE-2219
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
