[jira] [Commented] (YARN-8722) Failed to get native service application status when security is enabled

Tue, 28 Aug 2018 11:56:20 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-8722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16595440#comment-16595440
 ] 

Eric Yang commented on YARN-8722:
---------------------------------

YARN implementation is built as a thick client and thick server.  The thick 
client can run in the server as well.  Without security ACL, it becomes 
possible to reverse engineer thick client and send network packets to fool 
server to perform operations.

In the current implementation, we can not recommend to run without proxy user 
setup due to the spec file stored in end user's home directory instead of 
centralized.  There was proposal to centralize the metadata in YARN-7399.  The 
centralized meta store must define ACL to represent which user can access which 
app.  That details needs to be hashed out to remove proxy user ACL dependency 
that we have today.

> Failed to get native service application status when security is enabled 
> -------------------------------------------------------------------------
>
>                 Key: YARN-8722
>                 URL: https://issues.apache.org/jira/browse/YARN-8722
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn-native-services
>            Reporter: Zac Zhou
>            Priority: Major
>         Attachments: stack.txt, standlone-tf.json
>
>
> Can't get job status with the following command, after a submarine job is 
> submitted.
> bin/yarn app -status standlone-tf (service name)
> The environment context is as follows:
> 1) Security enabled.
> kerberos
> 2) Klist output
>  Ticket cache: FILE:/tmp/krb5cc_1010
>  Default principal: hadoop/admin@HADOOP.****.COM
> Valid starting Expires Service principal
>  08/28/2018 10:50:07 08/28/2018 20:50:07 
> krbtgt/HADOOP.****.COM@HADOOP.****.COM
>  renew until 08/29/2018 10:50:07
> 3) Service spec json.
>  standlone-tf.json in the attachment
> 4) service HDFS path permission. 
>  drwxr-x--- - hadoop hdfs 0 2018-08-27 15:54 
> hdfs://submarine/user/hadoop/.yarn/services/standlone-tf
> drwxr-x--- - hadoop hdfs 0 2018-08-27 15:54 
> hdfs://submarine/user/hadoop/.yarn/services/standlone-tf/lib
>  -rw-rw-rw- 2 hadoop hdfs 2228 2018-08-27 15:54 
> hdfs://submarine/user/hadoop/.yarn/services/standlone-tf/standlone-tf.json
> 5) Stacktrace.
>  stack.txt in the attachment
> 6) yarn app -status -> error.
>  bin/yarn app -status standlone-tf (service name)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to