[jira] [Commented] (YARN-10340) HsWebServices getContainerReport uses loginUser instead of remoteUser to access ApplicationClientProtocol
[ https://issues.apache.org/jira/browse/YARN-10340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17153240#comment-17153240 ] Prabhu Joseph commented on YARN-10340: -- Thanks [~tarunparimi] for the analysis. bq. This creates a separate rpc client instance every time though which is not efficient. This won't be a problem as these newly added WebServices (YARN-10028) are used only by Yarn UI2 unless user opens huge number of UI2 pages at a time. And also this is the right way for achieving doAs for RPC calls. > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > - > > Key: YARN-10340 > URL: https://issues.apache.org/jira/browse/YARN-10340 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Prabhu Joseph >Assignee: Tarun Parimi >Priority: Major > > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > > [http://:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs|http://pjoseph-secure-1.pjoseph-secure.root.hwx.site:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs] > While accessing above link using systest user, the request fails saying > mapred user does not have access to the job > > {code:java} > 2020-07-06 14:02:59,178 WARN org.apache.hadoop.yarn.server.webapp.LogServlet: > Could not obtain node HTTP address from provider. > javax.ws.rs.WebApplicationException: > org.apache.hadoop.yarn.exceptions.YarnException: User mapred does not have > privilege to see this application application_1593997842459_0214 > at > org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getContainerReport(ClientRMService.java:516) > at > org.apache.hadoop.yarn.api.impl.pb.service.ApplicationClientProtocolPBServiceImpl.getContainerReport(ApplicationClientProtocolPBServiceImpl.java:466) > at > org.apache.hadoop.yarn.proto.ApplicationClientProtocol$ApplicationClientProtocolService$2.callBlockingMethod(ApplicationClientProtocol.java:639) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:528) > at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1070) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:985) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:913) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1876) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2882) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowThrowable(WebServices.java:544) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowException(WebServices.java:530) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getContainer(WebServices.java:405) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getNodeHttpAddress(WebServices.java:373) > at > org.apache.hadoop.yarn.server.webapp.LogServlet.getContainerLogsInfo(LogServlet.java:268) > at > org.apache.hadoop.mapreduce.v2.hs.webapp.HsWebServices.getContainerLogs(HsWebServices.java:461) > > {code} > On Analyzing, found WebServices#getContainer uses doAs using UGI created by > createRemoteUser(end user) to access RM#ApplicationClientProtocol which does > not work. Need to use createProxyUser to do the same. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-10340) HsWebServices getContainerReport uses loginUser instead of remoteUser to access ApplicationClientProtocol
[ https://issues.apache.org/jira/browse/YARN-10340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17153225#comment-17153225 ] Tarun Parimi commented on YARN-10340: - [~prabhujoseph], The issue is because the HistoryClientService#initializeWebApp instantiates the RPC client connection when creating the WebApp . {code:java} ApplicationClientProtocol appClientProtocol = ClientRMProxy.createRMProxy(conf, ApplicationClientProtocol.class); {code} This RPC client proxy instance will only use the mapred ugi at the time of creation and even for subsequent calls irrespective of doAs. I made a code change to check by adding below method in HSWebServices and it works with the correct ugi fixing the issue. {code:java} @Override protected ContainerReport getContainerReport( GetContainerReportRequest request) throws YarnException, IOException { return ClientRMProxy.createRMProxy(conf, ApplicationClientProtocol.class).getContainerReport(request).getContainerReport(); } {code} This creates a separate rpc client instance every time though which is not efficient. > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > - > > Key: YARN-10340 > URL: https://issues.apache.org/jira/browse/YARN-10340 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Prabhu Joseph >Assignee: Tarun Parimi >Priority: Major > > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > > [http://:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs|http://pjoseph-secure-1.pjoseph-secure.root.hwx.site:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs] > While accessing above link using systest user, the request fails saying > mapred user does not have access to the job > > {code:java} > 2020-07-06 14:02:59,178 WARN org.apache.hadoop.yarn.server.webapp.LogServlet: > Could not obtain node HTTP address from provider. > javax.ws.rs.WebApplicationException: > org.apache.hadoop.yarn.exceptions.YarnException: User mapred does not have > privilege to see this application application_1593997842459_0214 > at > org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getContainerReport(ClientRMService.java:516) > at > org.apache.hadoop.yarn.api.impl.pb.service.ApplicationClientProtocolPBServiceImpl.getContainerReport(ApplicationClientProtocolPBServiceImpl.java:466) > at > org.apache.hadoop.yarn.proto.ApplicationClientProtocol$ApplicationClientProtocolService$2.callBlockingMethod(ApplicationClientProtocol.java:639) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:528) > at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1070) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:985) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:913) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1876) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2882) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowThrowable(WebServices.java:544) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowException(WebServices.java:530) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getContainer(WebServices.java:405) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getNodeHttpAddress(WebServices.java:373) > at > org.apache.hadoop.yarn.server.webapp.LogServlet.getContainerLogsInfo(LogServlet.java:268) > at > org.apache.hadoop.mapreduce.v2.hs.webapp.HsWebServices.getContainerLogs(HsWebServices.java:461) > > {code} > On Analyzing, found WebServices#getContainer uses doAs using UGI created by > createRemoteUser(end user) to access RM#ApplicationClientProtocol which does > not work. Need to use createProxyUser to do the same. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-10340) HsWebServices getContainerReport uses loginUser instead of remoteUser to access ApplicationClientProtocol
[ https://issues.apache.org/jira/browse/YARN-10340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152501#comment-17152501 ] Tarun Parimi commented on YARN-10340: - [~prabhujoseph],[~brahmareddy] The WebServices#getContainer works properly when called by RMWebServices or AHSWebServices. This could be because they use their own ClientRMService and ApplicationHistoryClientService respectively. But HsWebServices now uses ClientRMService remotely and so doAs doesn't work here as expected. > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > - > > Key: YARN-10340 > URL: https://issues.apache.org/jira/browse/YARN-10340 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Prabhu Joseph >Assignee: Tarun Parimi >Priority: Major > > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > > [http://:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs|http://pjoseph-secure-1.pjoseph-secure.root.hwx.site:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs] > While accessing above link using systest user, the request fails saying > mapred user does not have access to the job > > {code:java} > 2020-07-06 14:02:59,178 WARN org.apache.hadoop.yarn.server.webapp.LogServlet: > Could not obtain node HTTP address from provider. > javax.ws.rs.WebApplicationException: > org.apache.hadoop.yarn.exceptions.YarnException: User mapred does not have > privilege to see this application application_1593997842459_0214 > at > org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getContainerReport(ClientRMService.java:516) > at > org.apache.hadoop.yarn.api.impl.pb.service.ApplicationClientProtocolPBServiceImpl.getContainerReport(ApplicationClientProtocolPBServiceImpl.java:466) > at > org.apache.hadoop.yarn.proto.ApplicationClientProtocol$ApplicationClientProtocolService$2.callBlockingMethod(ApplicationClientProtocol.java:639) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:528) > at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1070) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:985) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:913) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1876) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2882) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowThrowable(WebServices.java:544) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowException(WebServices.java:530) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getContainer(WebServices.java:405) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getNodeHttpAddress(WebServices.java:373) > at > org.apache.hadoop.yarn.server.webapp.LogServlet.getContainerLogsInfo(LogServlet.java:268) > at > org.apache.hadoop.mapreduce.v2.hs.webapp.HsWebServices.getContainerLogs(HsWebServices.java:461) > > {code} > On Analyzing, found WebServices#getContainer uses doAs using UGI created by > createRemoteUser(end user) to access RM#ApplicationClientProtocol which does > not work. Need to use createProxyUser to do the same. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-10340) HsWebServices getContainerReport uses loginUser instead of remoteUser to access ApplicationClientProtocol
[ https://issues.apache.org/jira/browse/YARN-10340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152173#comment-17152173 ] Prabhu Joseph commented on YARN-10340: -- [~brahmareddy] This issue happens irrespective of HADOOP-16095 change. Looks this issue is present long ago. *Repro:* Setup: Secure cluster + HistoryServer runs as mapred user + yarn.admin.acl=yarn and ACL for queues are set to " " 1. Run a mapreduce sleep job as userA 2. Access http://:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs as userA after kinit. 3. The request fails with below error in HistoryServer logs {code} 2020-07-06 14:02:59,178 WARN org.apache.hadoop.yarn.server.webapp.LogServlet: Could not obtain node HTTP address from provider. javax.ws.rs.WebApplicationException: org.apache.hadoop.yarn.exceptions.YarnException: User mapred does not have privilege to see this application application_1593997842459_0214 at org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getContainerReport(ClientRMService.java:516) {code} > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > - > > Key: YARN-10340 > URL: https://issues.apache.org/jira/browse/YARN-10340 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Prabhu Joseph >Assignee: Tarun Parimi >Priority: Major > > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > > [http://:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs|http://pjoseph-secure-1.pjoseph-secure.root.hwx.site:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs] > While accessing above link using systest user, the request fails saying > mapred user does not have access to the job > > {code:java} > 2020-07-06 14:02:59,178 WARN org.apache.hadoop.yarn.server.webapp.LogServlet: > Could not obtain node HTTP address from provider. > javax.ws.rs.WebApplicationException: > org.apache.hadoop.yarn.exceptions.YarnException: User mapred does not have > privilege to see this application application_1593997842459_0214 > at > org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getContainerReport(ClientRMService.java:516) > at > org.apache.hadoop.yarn.api.impl.pb.service.ApplicationClientProtocolPBServiceImpl.getContainerReport(ApplicationClientProtocolPBServiceImpl.java:466) > at > org.apache.hadoop.yarn.proto.ApplicationClientProtocol$ApplicationClientProtocolService$2.callBlockingMethod(ApplicationClientProtocol.java:639) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:528) > at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1070) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:985) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:913) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1876) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2882) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowThrowable(WebServices.java:544) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowException(WebServices.java:530) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getContainer(WebServices.java:405) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getNodeHttpAddress(WebServices.java:373) > at > org.apache.hadoop.yarn.server.webapp.LogServlet.getContainerLogsInfo(LogServlet.java:268) > at > org.apache.hadoop.mapreduce.v2.hs.webapp.HsWebServices.getContainerLogs(HsWebServices.java:461) > > {code} > On Analyzing, found WebServices#getContainer uses doAs using UGI created by > createRemoteUser(end user) to access RM#ApplicationClientProtocol which does > not work. Need to use createProxyUser to do the same. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-10340) HsWebServices getContainerReport uses loginUser instead of remoteUser to access ApplicationClientProtocol
[ https://issues.apache.org/jira/browse/YARN-10340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152142#comment-17152142 ] Brahma Reddy Battula commented on YARN-10340: - does this related to HADOOP-16095? > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > - > > Key: YARN-10340 > URL: https://issues.apache.org/jira/browse/YARN-10340 > Project: Hadoop YARN > Issue Type: Bug >Reporter: Prabhu Joseph >Assignee: Tarun Parimi >Priority: Major > > HsWebServices getContainerReport uses loginUser instead of remoteUser to > access ApplicationClientProtocol > > [http://:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs|http://pjoseph-secure-1.pjoseph-secure.root.hwx.site:19888/ws/v1/history/containers/container_e03_1594030808801_0002_01_03/logs] > While accessing above link using systest user, the request fails saying > mapred user does not have access to the job > > {code:java} > 2020-07-06 14:02:59,178 WARN org.apache.hadoop.yarn.server.webapp.LogServlet: > Could not obtain node HTTP address from provider. > javax.ws.rs.WebApplicationException: > org.apache.hadoop.yarn.exceptions.YarnException: User mapred does not have > privilege to see this application application_1593997842459_0214 > at > org.apache.hadoop.yarn.server.resourcemanager.ClientRMService.getContainerReport(ClientRMService.java:516) > at > org.apache.hadoop.yarn.api.impl.pb.service.ApplicationClientProtocolPBServiceImpl.getContainerReport(ApplicationClientProtocolPBServiceImpl.java:466) > at > org.apache.hadoop.yarn.proto.ApplicationClientProtocol$ApplicationClientProtocolService$2.callBlockingMethod(ApplicationClientProtocol.java:639) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:528) > at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1070) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:985) > at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:913) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1876) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2882) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowThrowable(WebServices.java:544) > at > org.apache.hadoop.yarn.server.webapp.WebServices.rewrapAndThrowException(WebServices.java:530) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getContainer(WebServices.java:405) > at > org.apache.hadoop.yarn.server.webapp.WebServices.getNodeHttpAddress(WebServices.java:373) > at > org.apache.hadoop.yarn.server.webapp.LogServlet.getContainerLogsInfo(LogServlet.java:268) > at > org.apache.hadoop.mapreduce.v2.hs.webapp.HsWebServices.getContainerLogs(HsWebServices.java:461) > > {code} > On Analyzing, found WebServices#getContainer uses doAs using UGI created by > createRemoteUser(end user) to access RM#ApplicationClientProtocol which does > not work. Need to use createProxyUser to do the same. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org