[
https://issues.apache.org/jira/browse/MAPREDUCE-3668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188002#comment-13188002
]
Jason Lowe commented on MAPREDUCE-3668:
---------------------------------------
The quick fix doesn't exactly meet their needs, since in the past everyone
could at least see jobs were running. The quick fix would prevent a user from
seeing anything but their own jobs (barring ACL exceptions), and some of the
tests submit jobs as various users then later monitors their status with this
command.
For now QE can make progress setting the view-job ACL to *, but it would be
nice to have a real fix.
> AccessControlException when running mapred job -list command
> ------------------------------------------------------------
>
> Key: MAPREDUCE-3668
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-3668
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: client, mrv2, security
> Affects Versions: 0.23.1
> Reporter: Jason Lowe
> Assignee: Jason Lowe
> Priority: Blocker
>
> If a user tries to examine the status of all jobs running on a secure cluster
> the mapred client can fail with an AccessControlException. For example,
> submitting two jobs each from a different user then trying to query the
> status as the second user can fail like this:
> $ mapred job -list all
> 12/01/12 20:01:12 WARN conf.Configuration: mapred.used.genericoptionsparser
> is deprecated. Instead, use
> mapreduce.client.genericoptionsparser.used
> Total jobs:2
> JobId State StartTime UserName Queue Priority Maps
> Reduces UsedContainers RsvdContainers UsedMem RsvdMem NeededMem AM
> info
> 12/01/12 20:01:14 INFO mapred.ClientServiceDelegate: Application state is
> completed. FinalApplicationStatus=SUCCEEDED. Redirecting to job history server
> job_1326396427223_0002 SUCCEEDED 1326398424244 user2 default
> NORMAL 2 2 0 0 0M 0M 0M
> hostremoved:8088/proxy/application_1326396427223_0002/jobhistory/job/job_1326396427223_2_2
> 12/01/12 20:01:14 INFO mapred.ClientServiceDelegate: Application state is
> completed. FinalApplicationStatus=SUCCEEDED. Redirecting to job history server
> 12/01/12 20:01:14 WARN mapred.ClientServiceDelegate: Error from remote end:
> User user2 cannot perform operation VIEW_JOB on job_1326396427223_0001
> Exception in thread "main" RemoteTrace:
> java.security.AccessControlException: User user2 cannot perform operation
> VIEW_JOB on job_1326396427223_0001
> at
> org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.checkAccess(HistoryClientService.java:293)
> at
> org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.verifyAndGetJob(HistoryClientService.java:184)
> at
> org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.getJobReport(HistoryClientService.java:200)
> at
> org.apache.hadoop.mapreduce.v2.api.impl.pb.service.MRClientProtocolPBServiceImpl.getJobReport(MRClientProtocolPBServiceImpl.java:106)
> at
> org.apache.hadoop.yarn.proto.MRClientProtocol$MRClientProtocolService$2.callBlockingMethod(MRClientProtocol.java:187)
> at
> org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Server.call(ProtoOverHadoopRpcEngine.java:344)
> at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:1490)
> at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:1486)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1157)
> at org.apache.hadoop.ipc.Server$Handler.run(Server.java:1484)
> at Local Trace:
> org.apache.hadoop.yarn.exceptions.impl.pb.YarnRemoteExceptionPBImpl:
> User user2 cannot perform operation VIEW_JOB on job_1326396427223_0001
> at
> org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:151)
> at $Proxy10.getJobReport(Unknown Source)
> at
> org.apache.hadoop.mapreduce.v2.api.impl.pb.client.MRClientProtocolPBClientImpl.getJobReport(MRClientProtocolPBClientImpl.java:104)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.apache.hadoop.mapred.ClientServiceDelegate.invoke(ClientServiceDelegate.java:328)
> at
> org.apache.hadoop.mapred.ClientServiceDelegate.getJobStatus(ClientServiceDelegate.java:405)
> at
> org.apache.hadoop.mapred.YARNRunner.getJobStatus(YARNRunner.java:431)
> at org.apache.hadoop.mapreduce.Cluster.getJob(Cluster.java:186)
> at org.apache.hadoop.mapreduce.tools.CLI.displayJobList(CLI.java:571)
> at org.apache.hadoop.mapreduce.tools.CLI.listAllJobs(CLI.java:500)
> at org.apache.hadoop.mapreduce.tools.CLI.run(CLI.java:298)
> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:69)
> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:83)
> at org.apache.hadoop.mapred.JobClient.main(JobClient.java:1209)
> The information provided by the command is similar to what is presented on
> the ResourceManager web UI, and that page has no security.
> Marking this as a blocker since many of our automated acceptance tests use
> this command to obtain the status of jobs running in the cluster.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
