[
https://issues.apache.org/jira/browse/MAPREDUCE-3417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13200095#comment-13200095
]
Jonathan Eagles commented on MAPREDUCE-3417:
--------------------------------------------
bq. Instead of Hadoop authorization flag, we should instead be looking at
YarnConfiguration#YARN_ACL_ENABLE. It is debatable whether we need a separate
config item besides hadoop-auth flag, but let us resolve that separately and be
consistent here.
After discussing with Vinod, the correct setting for now will be
MRConfig.MR_ACLS_ENABLED. Since that is already checked in JobACLsManager, I
just deleted the AUTHORIZATION check in JobImpl and CompletedJob
bq. Good job on the test! But we shouldn't be needing to set
MRConfig.MR_ACLS_ENABLED as that is a MRV1 config which we don't want to use
here at all.
As part of changes with first comment, now setting only MR_ACLS_ENABLED and
removed AUTHORIZATION set in test code
bq. Am not sure of the expected behavior of the proxy. Can Robert/Thomas pitch
in?
Will ping one of them to take a look at the proxy change
> job access controls not working app master and job history UI's
> ---------------------------------------------------------------
>
> Key: MAPREDUCE-3417
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-3417
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: mrv2
> Affects Versions: 0.23.0
> Reporter: Thomas Graves
> Assignee: Jonathan Eagles
> Priority: Blocker
> Fix For: 0.23.1
>
> Attachments: MAPREDUCE-3417.patch, MAPREDUCE-3417.patch,
> MAPREDUCE-3417.patch, MAPREDUCE-3417.patch, MAPREDUCE-3417.patch,
> MAPREDUCE-3417.patch
>
>
> tested with security on, no filters defined for httpserver, job acls set so
> that only I could view/modify the job. Then went to the web ui to app master
> and job history server and both allowed me to view the job details. The
> webui shows the user "webuser". The RM properly rejected my request
> although it was using user "Dr.Who".
> The exception shown in the log is:
> 11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
> 11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception
> trying to get groups for user webuser
> org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user
> at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
> at org.apache.hadoop.util.Shell.run(Shell.java:188)
> at
> org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
> at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
> at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
> at
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
> at
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
> at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
> at
> org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
> at
> org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
> at
> org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
> at
> org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
> at
> org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
> at
> org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
> at
> org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
