[
https://issues.apache.org/jira/browse/MAPREDUCE-4329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13437476#comment-13437476
]
Sho Shimauchi commented on MAPREDUCE-4329:
------------------------------------------
Thanks for advice, Harsh.
In trunk, MR_AM_SECURITY_SERVICE_AUTHORIZATION_TASK_UMBILICAL is used only in
MRAMPolicyProvider class.
{code:java}
private static final Service[] mapReduceApplicationMasterServices =
new Service[] {
new Service(
MRJobConfig.MR_AM_SECURITY_SERVICE_AUTHORIZATION_TASK_UMBILICAL,
TaskUmbilicalProtocol.class),
new Service(
MRJobConfig.MR_AM_SECURITY_SERVICE_AUTHORIZATION_CLIENT,
MRClientProtocolPB.class)
};
{code}
I found the new property "security.job.task.protocol.acl" is documented in
hadoop-policy.xml.
I'll file a new JIRA and do the same way with trunk.
> security.task.umbilical.protocol.acl should not be configurable
> ---------------------------------------------------------------
>
> Key: MAPREDUCE-4329
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-4329
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.3
> Reporter: Sho Shimauchi
> Assignee: Sho Shimauchi
> Attachments: MAPREDUCE-4329.txt, MAPREDUCE-4329.txt
>
>
> On running MapReduce job, username is changed to jobid and the job fails.
> Exception is as follows:
> {code}
> 2012-06-08 19:39:26,555 WARN
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying
> to get groups for user job_201206081934_0002
> org.apache.hadoop.util.Shell$ExitCodeException: id: job_201206081934_0002: no
> such user
> at org.apache.hadoop.util.Shell.runCommand(Shell.java:255)
> at org.apache.hadoop.util.Shell.run(Shell.java:182)
> at
> org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:375)
> at org.apache.hadoop.util.Shell.execCommand(Shell.java:461)
> at org.apache.hadoop.util.Shell.execCommand(Shell.java:444)
> at
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:68)
> at
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:45)
> at org.apache.hadoop.security.Groups.getGroups(Groups.java:79)
> at
> org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1026)
> at
> org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:141)
> at
> org.apache.hadoop.security.authorize.ServiceAuthorizationManager.authorize(ServiceAuthorizationManager.java:99)
> at org.apache.hadoop.ipc.Server.authorize(Server.java:1659)
> at
> org.apache.hadoop.ipc.Server$Connection.authorizeConnection(Server.java:1320)
> at
> org.apache.hadoop.ipc.Server$Connection.processOneRpc(Server.java:1286)
> at
> org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1182)
> at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537)
> at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> at java.lang.Thread.run(Thread.java:680)
> {code}
> This issue can be reproduced by following steps:
> 1. set hadoop.security.authorization = true in core-site.xml
> {code}
> <property>
> <name>hadoop.security.authorization</name>
> <value>true</value>
> </property>
> {code}
> 2. set any value except for '*' to security.task.umbilical.protocol.acl in
> hadoop-policy.xml
> {code}
> <property>
> <name>security.task.umbilical.protocol.acl</name>
> <value>sho sho</value>
> <description>ACL for TaskUmbilicalProtocol, used by the map and reduce
> tasks to communicate with the parent tasktracker.
> The ACL is a comma-separated list of user and group names. The user and
> group list is separated by a blank. For e.g. "alice,bob users,wheel".
> A special value of "*" means all users are allowed.</description>
> </property>
> {code}
> 3. run any mapreduce job.
> h4. Code Analysis
> ./src/mapred/org/apache/hadoop/mapred/Child.java:102-118
> {code}
> UserGroupInformation taskOwner
> =
> UserGroupInformation.createRemoteUser(firstTaskid.getJobID().toString());
> taskOwner.addToken(jt);
>
> // Set the credentials
> defaultConf.setCredentials(credentials);
>
> final TaskUmbilicalProtocol umbilical =
> taskOwner.doAs(new PrivilegedExceptionAction<TaskUmbilicalProtocol>() {
> @Override
> public TaskUmbilicalProtocol run() throws Exception {
> return
> (TaskUmbilicalProtocol)RPC.getProxy(TaskUmbilicalProtocol.class,
> TaskUmbilicalProtocol.versionID,
> address,
> defaultConf);
> }
> });
> {code}
> This code indicates that TaskUmbilicalProtocol uses jobid as username.
> This code came from MAPREDUCE-1457.
> https://issues.apache.org/jira/browse/MAPREDUCE-1457
> Devaraj said as follows in the JIRA:
> {quote}
> 2) In Child.java, the task authenticates to the TaskTracker using the
> jobtoken. The username in the jobtoken is jobId. The doAs block done using
> taskOwner is required so that the username mentioned in the token and the one
> doing the operation matches.
> {quote}
> We can't change security.task.umbilical.protocol.acl and should always be '*'
> .
> TaskUmbilicalProtocol should be removed from MapReducePolicyProvider to
> disable security.task.umbilical.protocol.acl.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
