[jira] [Resolved] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck resolved HADOOP-14699. -- Resolution: Resolved This issue will be resolved by HADOOP-9747. > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck >Priority: Major > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. There should not be an > implicit attempt to impersonate the second principal through the first > principal that logged in. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/ugi-test > {noformat}18:44:55.687 [pool-2-thread-2] WARN > h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while > performing task for [ugite...@example.com (auth:KERBEROS)] > org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not > allowed to impersonate ugite...@example.com > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) > at org.apache.hadoop.ipc.Client.call(Client.java:1427) > at org.apache.hadoop.ipc.Client.call(Client.java:1337) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) > at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) > at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) > at > org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) > at > org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) > at > hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) > at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail:
[jira] [Commented] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16402207#comment-16402207 ] Jeff Storck commented on HADOOP-14699: -- [~xiaochen] Yes, this can be closed with the fixes for HADOOP-9747 in 3.x. > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck >Priority: Major > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. There should not be an > implicit attempt to impersonate the second principal through the first > principal that logged in. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/ugi-test > {noformat}18:44:55.687 [pool-2-thread-2] WARN > h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while > performing task for [ugite...@example.com (auth:KERBEROS)] > org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not > allowed to impersonate ugite...@example.com > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) > at org.apache.hadoop.ipc.Client.call(Client.java:1427) > at org.apache.hadoop.ipc.Client.call(Client.java:1337) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) > at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) > at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) > at > org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) > at > org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) > at > hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) > at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail:
[jira] [Commented] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16269059#comment-16269059 ] Jeff Storck commented on HADOOP-14699: -- Thanks, [~daryn]. I appreciate your work on HADOOP-9747! > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. There should not be an > implicit attempt to impersonate the second principal through the first > principal that logged in. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/ugi-test > {noformat}18:44:55.687 [pool-2-thread-2] WARN > h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while > performing task for [ugite...@example.com (auth:KERBEROS)] > org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not > allowed to impersonate ugite...@example.com > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) > at org.apache.hadoop.ipc.Client.call(Client.java:1427) > at org.apache.hadoop.ipc.Client.call(Client.java:1337) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) > at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) > at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) > at > org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) > at > org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) > at > hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) > at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745){noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail:
[jira] [Comment Edited] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16239746#comment-16239746 ] Jeff Storck edited comment on HADOOP-14699 at 11/28/17 6:05 AM: [~jnp] Please take a look at the [test code|https://github.com/jtstorck/ugi-test] I have provided. It shows a simplified scenario (inspired by a use case in NiFi) that causes the impersonation error. If two instantiations of the UGI class are used to represent two users, the impersonation error will occur on the relogin of the second user, provided that Hadoop is not configured to allow the impersonation. This use case of UGI occurs in NiFi when the Kerberos credentials in a Hadoop processor are changed from one user to another, with no intention of proxying a user. was (Author: jtstorck): [~jnp] Please take a look at the [test code|https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test] I have provided. It shows a simplified scenario (inspired by a use case in NiFi) that causes the impersonation error. If two instantiations of the UGI class are used to represent two users, the impersonation error will occur on the relogin of the second user, provided that Hadoop is not configured to allow the impersonation. This use case of UGI occurs in NiFi when the Kerberos credentials in a Hadoop processor are changed from one user to another, with no intention of proxying a user. > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. There should not be an > implicit attempt to impersonate the second principal through the first > principal that logged in. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/ugi-test > {noformat}18:44:55.687 [pool-2-thread-2] WARN > h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while > performing task for [ugite...@example.com (auth:KERBEROS)] > org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not > allowed to impersonate ugite...@example.com > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) > at org.apache.hadoop.ipc.Client.call(Client.java:1427) > at org.apache.hadoop.ipc.Client.call(Client.java:1337) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) > at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) > at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) > at > org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) > at > org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) > at >
[jira] [Updated] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated HADOOP-14699: - Description: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. There should not be an implicit attempt to impersonate the second principal through the first principal that logged in. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/ugi-test {noformat}18:44:55.687 [pool-2-thread-2] WARN h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while performing task for [ugite...@example.com (auth:KERBEROS)] org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not allowed to impersonate ugite...@example.com at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) at org.apache.hadoop.ipc.Client.call(Client.java:1427) at org.apache.hadoop.ipc.Client.call(Client.java:1337) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) at hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745){noformat} was: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. There should not be an implicit attempt to impersonate the second principal through the first principal that logged in. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test {noformat}18:44:55.687 [pool-2-thread-2] WARN h.u.u.ugirunnable.ugite...@example.com - Unexpected
[jira] [Commented] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16267929#comment-16267929 ] Jeff Storck commented on HADOOP-14699: -- [~jnp] I updated the test code and provided new instructions for reproducing the impersonation issue. The test code has been updated to provide per-principal task configuration, and now writes files to HDFS rather than just retrieving status. Please let me know if you have any problems using the updated code. Thanks! > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. There should not be an > implicit attempt to impersonate the second principal through the first > principal that logged in. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test > {noformat}18:44:55.687 [pool-2-thread-2] WARN > h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while > performing task for [ugite...@example.com (auth:KERBEROS)] > org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not > allowed to impersonate ugite...@example.com > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) > at org.apache.hadoop.ipc.Client.call(Client.java:1427) > at org.apache.hadoop.ipc.Client.call(Client.java:1337) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) > at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) > at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) > at > org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) > at > org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) > at > hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) > at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at >
[jira] [Commented] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16239746#comment-16239746 ] Jeff Storck commented on HADOOP-14699: -- [~jnp] Please take a look at the [test code|https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test] I have provided. It shows a simplified scenario (inspired by a use case in NiFi) that causes the impersonation error. If two instantiations of the UGI class are used to represent two users, the impersonation error will occur on the relogin of the second user, provided that Hadoop is not configured to allow the impersonation. This use case of UGI occurs in NiFi when the Kerberos credentials in a Hadoop processor are changed from one user to another, with no intention of proxying a user. > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. There should not be an > implicit attempt to impersonate the second principal through the first > principal that logged in. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test > {noformat}18:44:55.687 [pool-2-thread-2] WARN > h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while > performing task for [ugite...@example.com (auth:KERBEROS)] > org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not > allowed to impersonate ugite...@example.com > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) > at org.apache.hadoop.ipc.Client.call(Client.java:1427) > at org.apache.hadoop.ipc.Client.call(Client.java:1337) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) > at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) > at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) > at > org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) > at > org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) > at > hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) > at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at >
[jira] [Commented] (HADOOP-9747) Reduce unnecessary UGI synchronization
[ https://issues.apache.org/jira/browse/HADOOP-9747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16126164#comment-16126164 ] Jeff Storck commented on HADOOP-9747: - [~daryn] Can you confirm that the two patches, HADOOP-9747.2.branch-2.patch and HADOOP-9747.2.trunk.patch (for their respective branches) are all that is needed to resolve the two open subtasks in this JIRA? I've done my own testing for two principals being logged in and that they are able to relogin simultaneously using a single classloader, and this fixes a core issue that NiFi has been trying to work around for quite a while. I have a suspicion that this might help us out with another issue regarding TDE where the hadoop client is not able to authenticate with a KMS (no TGT found) after successfully logging in with the KDC from a keytab. The client seems to be "forgetting" that a principal was logged in from a keytab and ends up falling back to the OS user. > Reduce unnecessary UGI synchronization > -- > > Key: HADOOP-9747 > URL: https://issues.apache.org/jira/browse/HADOOP-9747 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0-alpha1 >Reporter: Daryn Sharp >Assignee: Daryn Sharp >Priority: Critical > Attachments: HADOOP-9747.2.branch-2.patch, HADOOP-9747.2.trunk.patch, > HADOOP-9747.branch-2.patch, HADOOP-9747.trunk.patch > > > Jstacks of heavily loaded NNs show up to dozens of threads blocking in the > UGI. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-9747) Reduce unnecessary UGI synchronization
[ https://issues.apache.org/jira/browse/HADOOP-9747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16116600#comment-16116600 ] Jeff Storck commented on HADOOP-9747: - [~djp] [~daryn] I've tested this patch against an HDP 2.6 cluster using the code I've linked on HADOOP-14699, and the results are promising. I'll be doing some more testing today to verify that the patch also resolves an issue with a single UGI that gets into a hung state where the principal has been "forgotten" and falls back to the login user, for which no ticket has been (or can be, in the tested configuration) be acquired. > Reduce unnecessary UGI synchronization > -- > > Key: HADOOP-9747 > URL: https://issues.apache.org/jira/browse/HADOOP-9747 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0-alpha1 >Reporter: Daryn Sharp >Assignee: Daryn Sharp >Priority: Critical > Attachments: HADOOP-9747.2.branch-2.patch, HADOOP-9747.2.trunk.patch, > HADOOP-9747.branch-2.patch, HADOOP-9747.trunk.patch > > > Jstacks of heavily loaded NNs show up to dozens of threads blocking in the > UGI. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16107418#comment-16107418 ] Jeff Storck commented on HADOOP-14699: -- [~daryn] Excellent! I've linked HADOOP-9747 to this JIRA. > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. There should not be an > implicit attempt to impersonate the second principal through the first > principal that logged in. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test > {noformat}18:44:55.687 [pool-2-thread-2] WARN > h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while > performing task for [ugite...@example.com (auth:KERBEROS)] > org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not > allowed to impersonate ugite...@example.com > at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) > at org.apache.hadoop.ipc.Client.call(Client.java:1427) > at org.apache.hadoop.ipc.Client.call(Client.java:1337) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) > at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) > at > org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) > at > org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) > at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) > at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) > at > org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) > at > org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) > at > org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) > at > hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) > at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745){noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For
[jira] [Updated] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated HADOOP-14699: - Description: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. There should not be an implicit attempt to impersonate the second principal through the first principal that logged in. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test {noformat}18:44:55.687 [pool-2-thread-2] WARN h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while performing task for [ugite...@example.com (auth:KERBEROS)] org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not allowed to impersonate ugite...@example.com at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) at org.apache.hadoop.ipc.Client.call(Client.java:1427) at org.apache.hadoop.ipc.Client.call(Client.java:1337) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) at hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745){noformat} was: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. There should not be an implicit attempt to impersonate the second principal through the first principal that logged in. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test {quote}18:44:55.687 [pool-2-thread-2] WARN
[jira] [Updated] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated HADOOP-14699: - Description: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. There should not be an implicit attempt to impersonate the second principal through the first principal that logged in. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test {quote}18:44:55.687 [pool-2-thread-2] WARN h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while performing task for [ugite...@example.com (auth:KERBEROS)] org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not allowed to impersonate ugite...@example.com at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) at org.apache.hadoop.ipc.Client.call(Client.java:1427) at org.apache.hadoop.ipc.Client.call(Client.java:1337) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) at hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745){quote} was: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. There should not be an implicit attempt to impersonate the second principal through the first principal that logged in. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test {{18:44:55.687 [pool-2-thread-2] WARN
[jira] [Updated] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated HADOOP-14699: - Description: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. There should not be an implicit attempt to impersonate the second principal through the first principal that logged in. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test {{18:44:55.687 [pool-2-thread-2] WARN h.u.u.ugirunnable.ugite...@example.com - Unexpected exception while performing task for [ugite...@example.com (auth:KERBEROS)] org.apache.hadoop.ipc.RemoteException: User: ugite...@example.com is not allowed to impersonate ugite...@example.com at org.apache.hadoop.ipc.Client.getRpcResponse(Client.java:1481) at org.apache.hadoop.ipc.Client.call(Client.java:1427) at org.apache.hadoop.ipc.Client.call(Client.java:1337) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:227) at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:116) at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:787) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:398) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeMethod(RetryInvocationHandler.java:163) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invoke(RetryInvocationHandler.java:155) at org.apache.hadoop.io.retry.RetryInvocationHandler$Call.invokeOnce(RetryInvocationHandler.java:95) at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:335) at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source) at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1700) at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1436) at org.apache.hadoop.hdfs.DistributedFileSystem$27.doCall(DistributedFileSystem.java:1433) at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1448) at hadoop.ugitest.UgiTestMain$UgiRunnable.lambda$run$2(UgiTestMain.java:194) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1807) at hadoop.ugitest.UgiTestMain$UgiRunnable.run(UgiTestMain.java:194) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)}} was: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL:
[jira] [Updated] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated HADOOP-14699: - Description: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test was: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
[ https://issues.apache.org/jira/browse/HADOOP-14699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated HADOOP-14699: - Description: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin and perform an action using a UGI.doAs(). An impersonation will occur and the operation attempted by the second principal after relogging in will fail. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test was: Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin. An impersonation will occur and the operation attempted by the second principal after relogging in will fail. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test > Impersonation errors with UGI after second principal relogin > > > Key: HADOOP-14699 > URL: https://issues.apache.org/jira/browse/HADOOP-14699 > Project: Hadoop Common > Issue Type: Bug > Components: common >Affects Versions: 2.6.2, 2.7.3, 2.8.1 >Reporter: Jeff Storck > > Multiple principals that are logged in using UGI instances that are > instantiated from a UGI class loaded by the same classloader will encounter > problems when the second principal attempts to relogin and perform an action > using a UGI.doAs(). An impersonation will occur and the operation attempted > by the second principal after relogging in will fail. > I have created a GitHub project that exhibits the impersonation error with > brief instructions on how to set up for the test and run it: > https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Created] (HADOOP-14699) Impersonation errors with UGI after second principal relogin
Jeff Storck created HADOOP-14699: Summary: Impersonation errors with UGI after second principal relogin Key: HADOOP-14699 URL: https://issues.apache.org/jira/browse/HADOOP-14699 Project: Hadoop Common Issue Type: Bug Components: common Affects Versions: 2.8.1, 2.7.3, 2.6.2 Reporter: Jeff Storck Multiple principals that are logged in using UGI instances that are instantiated from a UGI class loaded by the same classloader will encounter problems when the second principal attempts to relogin. An impersonation will occur and the operation attempted by the second principal after relogging in will fail. I have created a GitHub project that exhibits the impersonation error with brief instructions on how to set up for the test and run it: https://github.com/jtstorck/kerberos-examples/tree/master/hadoop/ugi-test -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org