[
https://issues.apache.org/jira/browse/MAPREDUCE-3417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13200113#comment-13200113
]
Robert Joseph Evans commented on MAPREDUCE-3417:
------------------------------------------------
I just looked at the proxy changes and I am a bit confused why they are needed.
If security is enabled the proxy will try to warn the user that they may be
connecting to something that is unsafe. It should not change anything about
sending the user name over to the AM. All the changes seem to be doing is
enabling warning people if the authentication is set to anything that does not
evaluate to a boolean false, so it would be enabled for both kerberos and
simple, iff simple is explicitly set.
> job access controls not working app master and job history UI's
> ---------------------------------------------------------------
>
> Key: MAPREDUCE-3417
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-3417
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: mrv2
> Affects Versions: 0.23.0
> Reporter: Thomas Graves
> Assignee: Jonathan Eagles
> Priority: Blocker
> Fix For: 0.23.1
>
> Attachments: MAPREDUCE-3417.patch, MAPREDUCE-3417.patch,
> MAPREDUCE-3417.patch, MAPREDUCE-3417.patch, MAPREDUCE-3417.patch,
> MAPREDUCE-3417.patch, MAPREDUCE-3417.patch
>
>
> tested with security on, no filters defined for httpserver, job acls set so
> that only I could view/modify the job. Then went to the web ui to app master
> and job history server and both allowed me to view the job details. The
> webui shows the user "webuser". The RM properly rejected my request
> although it was using user "Dr.Who".
> The exception shown in the log is:
> 11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
> 11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception
> trying to get groups for user webuser
> org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user
> at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
> at org.apache.hadoop.util.Shell.run(Shell.java:188)
> at
> org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
> at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
> at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
> at
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
> at
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
> at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
> at
> org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
> at
> org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
> at
> org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
> at
> org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
> at
> org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
> at
> org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
> at
> org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
