[jira] [Commented] (SPARK-21521) History service requires user is in any group
[ https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16365208#comment-16365208 ] Wei Zheng commented on SPARK-21521: --- We came across the same problem recently - SHS UI only shows the jobs for the user who started SHS service. Although that user is a super user (both in local FS and HDFS), it cannot read other users' job log files (due to rwxrwx---). Special logic to tell whether a user is a super user is nice, but I don't know if that's doable, because that logic may be vendor specific. For those using HDFS maybe we can read dfs.permissions.supergroup from hdfs-site.xml and tell, but other system like MapR doesn't use hdfs-site.xml at all but has different configs. I don't know if that's the case for other vendors. We currently work around this issue by changing LOG_FILE_PERMISSIONS from 770 to 774. I'm not sure if that's a safe change though. > History service requires user is in any group > - > > Key: SPARK-21521 > URL: https://issues.apache.org/jira/browse/SPARK-21521 > Project: Spark > Issue Type: Bug > Components: Spark Core >Affects Versions: 2.2.0 >Reporter: Adrian Bridgett >Priority: Major > > (Regression cf. 2.0.2) > We run spark as several users, these write to the history location where the > files are saved as those users with permissions of 770 (this is hardcoded in > EventLoggingListener.scala). > The history service runs as root so that it has permissions on these files > (see https://spark.apache.org/docs/latest/security.html). > This worked fine in v2.0.2, however in v2.2.0 the events are being skipped > unless I add the root user into each users group at which point they are seen. > We currently have all acls configuration unset. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-21521) History service requires user is in any group
[ https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16100354#comment-16100354 ] Marcelo Vanzin commented on SPARK-21521: BTW I'd be ok with just properly documenting the expected directory permissions. While it's unusual for root to failure in this mode, deploying with a local event log directory is not really a normal use case, and so isn't running the SHS as root. > History service requires user is in any group > - > > Key: SPARK-21521 > URL: https://issues.apache.org/jira/browse/SPARK-21521 > Project: Spark > Issue Type: Bug > Components: Spark Core >Affects Versions: 2.2.0 >Reporter: Adrian Bridgett > > (Regression cf. 2.0.2) > We run spark as several users, these write to the history location where the > files are saved as those users with permissions of 770 (this is hardcoded in > EventLoggingListener.scala). > The history service runs as root so that it has permissions on these files > (see https://spark.apache.org/docs/latest/security.html). > This worked fine in v2.0.2, however in v2.2.0 the events are being skipped > unless I add the root user into each users group at which point they are seen. > We currently have all acls configuration unset. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-21521) History service requires user is in any group
[ https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099629#comment-16099629 ] Saisai Shao commented on SPARK-21521: - I I think we should have a special logics to treat special users like "root", in the current logics we don't have such logics and treat "root" as a normal user, that's why it will be failed in this case. > History service requires user is in any group > - > > Key: SPARK-21521 > URL: https://issues.apache.org/jira/browse/SPARK-21521 > Project: Spark > Issue Type: Bug > Components: Spark Core >Affects Versions: 2.2.0 >Reporter: Adrian Bridgett > > (Regression cf. 2.0.2) > We run spark as several users, these write to the history location where the > files are saved as those users with permissions of 770 (this is hardcoded in > EventLoggingListener.scala). > The history service runs as root so that it has permissions on these files > (see https://spark.apache.org/docs/latest/security.html). > This worked fine in v2.0.2, however in v2.2.0 the events are being skipped > unless I add the root user into each users group at which point they are seen. > We currently have all acls configuration unset. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-21521) History service requires user is in any group
[
https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099392#comment-16099392
]
Saisai Shao commented on SPARK-21521:
-
[~vanzin], I guess so, in the current logics of {{checkAccessPermission}} we
don't differentiate special user, so user "root" here is still just a normal
user. Let me verify it.
> History service requires user is in any group
> -
>
> Key: SPARK-21521
> URL: https://issues.apache.org/jira/browse/SPARK-21521
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
>Affects Versions: 2.2.0
>Reporter: Adrian Bridgett
>
> (Regression cf. 2.0.2)
> We run spark as several users, these write to the history location where the
> files are saved as those users with permissions of 770 (this is hardcoded in
> EventLoggingListener.scala).
> The history service runs as root so that it has permissions on these files
> (see https://spark.apache.org/docs/latest/security.html).
> This worked fine in v2.0.2, however in v2.2.0 the events are being skipped
> unless I add the root user into each users group at which point they are seen.
> We currently have all acls configuration unset.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-21521) History service requires user is in any group
[
https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099114#comment-16099114
]
Marcelo Vanzin commented on SPARK-21521:
Just do double-correct myself, it should really be {{3777}}.
> History service requires user is in any group
> -
>
> Key: SPARK-21521
> URL: https://issues.apache.org/jira/browse/SPARK-21521
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
>Affects Versions: 2.2.0
>Reporter: Adrian Bridgett
>
> (Regression cf. 2.0.2)
> We run spark as several users, these write to the history location where the
> files are saved as those users with permissions of 770 (this is hardcoded in
> EventLoggingListener.scala).
> The history service runs as root so that it has permissions on these files
> (see https://spark.apache.org/docs/latest/security.html).
> This worked fine in v2.0.2, however in v2.2.0 the events are being skipped
> unless I add the root user into each users group at which point they are seen.
> We currently have all acls configuration unset.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-21521) History service requires user is in any group
[ https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099111#comment-16099111 ] Adrian Bridgett commented on SPARK-21521: - Thanks Marcelo - good idea regarding the setgid bit - that's definitely cleaner than my current workaround :) (3775 for setgid rather than 4775 I think though - 2 for the setgid, 1 for the sticky bit) And thanks for such a speedy response! > History service requires user is in any group > - > > Key: SPARK-21521 > URL: https://issues.apache.org/jira/browse/SPARK-21521 > Project: Spark > Issue Type: Bug > Components: Spark Core >Affects Versions: 2.2.0 >Reporter: Adrian Bridgett > > (Regression cf. 2.0.2) > We run spark as several users, these write to the history location where the > files are saved as those users with permissions of 770 (this is hardcoded in > EventLoggingListener.scala). > The history service runs as root so that it has permissions on these files > (see https://spark.apache.org/docs/latest/security.html). > This worked fine in v2.0.2, however in v2.2.0 the events are being skipped > unless I add the root user into each users group at which point they are seen. > We currently have all acls configuration unset. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-21521) History service requires user is in any group
[
https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099100#comment-16099100
]
Marcelo Vanzin commented on SPARK-21521:
Hmm, if you're using a local FS it should work since root there should be able
to read everything.
[~jerryshao] do you think the {{checkAccessPermission}} code you added could be
misbehaving here? It doesn't seem to treat any user as special, so maybe.
[~abridgett] you could try setting the directory's permissions to {{4755}};
that should mimic the HDFS behavior of inheriting the directory's group when
creating new files.
> History service requires user is in any group
> -
>
> Key: SPARK-21521
> URL: https://issues.apache.org/jira/browse/SPARK-21521
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
>Affects Versions: 2.2.0
>Reporter: Adrian Bridgett
>
> (Regression cf. 2.0.2)
> We run spark as several users, these write to the history location where the
> files are saved as those users with permissions of 770 (this is hardcoded in
> EventLoggingListener.scala).
> The history service runs as root so that it has permissions on these files
> (see https://spark.apache.org/docs/latest/security.html).
> This worked fine in v2.0.2, however in v2.2.0 the events are being skipped
> unless I add the root user into each users group at which point they are seen.
> We currently have all acls configuration unset.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-21521) History service requires user is in any group
[
https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099090#comment-16099090
]
Adrian Bridgett commented on SPARK-21521:
-
Hmm, I didn't check that (it's actually just a local filesystem in this case,
but I take the point that it's accessed via the Hadoop FS API).
Not sure why it's changed behaviour in 2.2.0 compared to 2.0.2 though.
Just checked access via hadoop (using hdfs command line) and it's certainly
still able to access it:
{noformat}
~# id
uid=0(root) gid=0(root) groups=0(root),997(airflow)
~# ls -l /var/log/spark/events/a5bab156-b4c2-41a2-93f2-11ba78c99c6e-12221.lz4
-rwxrwx--- 1 ubuntu ubuntu 13982 Jul 24 17:57
/var/log/spark/events/a5bab156-b4c2-41a2-93f2-11ba78c99c6e-12221.lz4
~# hdfs dfs -cat
/var/log/spark/events/a5bab156-b4c2-41a2-93f2-11ba78c99c6e-12221.lz4id
..(stuff)
{noformat}
> History service requires user is in any group
> -
>
> Key: SPARK-21521
> URL: https://issues.apache.org/jira/browse/SPARK-21521
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
>Affects Versions: 2.2.0
>Reporter: Adrian Bridgett
>
> (Regression cf. 2.0.2)
> We run spark as several users, these write to the history location where the
> files are saved as those users with permissions of 770 (this is hardcoded in
> EventLoggingListener.scala).
> The history service runs as root so that it has permissions on these files
> (see https://spark.apache.org/docs/latest/security.html).
> This worked fine in v2.0.2, however in v2.2.0 the events are being skipped
> unless I add the root user into each users group at which point they are seen.
> We currently have all acls configuration unset.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-21521) History service requires user is in any group
[
https://issues.apache.org/jira/browse/SPARK-21521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099078#comment-16099078
]
Marcelo Vanzin commented on SPARK-21521:
This smells of a configuration issue... {{root}} is not a special user on HDFS,
so running the SHS as root doesn't mean much assuming you're using HDFS.
For HDFS, the event log directory should have "1777" permissions, and the group
should be a group to which the SHS user belongs. e.g., in my cluster:
{noformat}
$ hdfs dfs -ls /user/spark
Found 1 items
drwxrwxrwt - spark spark 0 2017-07-24 13:26
/user/spark/applicationHistory
{noformat}
My SHS runs as user "spark" which belongs to group "spark".
> History service requires user is in any group
> -
>
> Key: SPARK-21521
> URL: https://issues.apache.org/jira/browse/SPARK-21521
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
>Affects Versions: 2.2.0
>Reporter: Adrian Bridgett
>
> (Regression cf. 2.0.2)
> We run spark as several users, these write to the history location where the
> files are saved as those users with permissions of 770 (this is hardcoded in
> EventLoggingListener.scala).
> The history service runs as root so that it has permissions on these files
> (see https://spark.apache.org/docs/latest/security.html).
> This worked fine in v2.0.2, however in v2.2.0 the events are being skipped
> unless I add the root user into each users group at which point they are seen.
> We currently have all acls configuration unset.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
