Yu Gao commented on YARN-2407:

After turn on debug, got this in ApplicationMaster log:
DEBUG [IPC Server handler 0 on 36796] org.apache.hadoop.mapred.JobACLsManager: 
checkAccess job acls, jobOwner: yarn jobacl: VIEW_JOB user: user1

The jobOwner above is incorrect. It should be user1 since it was user1 who 
submitted the job.

This error is caused by an incorrect implementation in JobImpl, which has 
defined two 
user name fields:
username - user got from system property user.name, which is the container 
process owner
userName - the value is passed in via JobImpl constructor, which is the end 
user who has submitted the job
The JobImpl#checkAccess method should have used userName as the job owner, 
instead of username.

> Users are not allowed to view their own jobs, denied by JobACLsManager
> ----------------------------------------------------------------------
>                 Key: YARN-2407
>                 URL: https://issues.apache.org/jira/browse/YARN-2407
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: applications
>    Affects Versions: 2.4.1
>            Reporter: Yu Gao
> Have a Hadoop 2.4.1 cluster with Yarn ACL enabled, and try to submit jobs as 
> a non-admin user user1. The job could be finished successfully, but the 
> running progress was not displayed correctly on the commad-line, and I got 
> following in the corresponding ApplicationMaster log:
> INFO [IPC Server handler 0 on 56717] org.apache.hadoop.ipc.Server: IPC Server 
> handler 0 on 56717, call 
> org.apache.hadoop.mapreduce.v2.api.MRClientProtocolPB.getJobReport from 
> Call#59 Retry#0
> org.apache.hadoop.security.AccessControlException: User user1 cannot perform 
> operation VIEW_JOB on job_1407456690588_0003
>       at 
> org.apache.hadoop.mapreduce.v2.app.client.MRClientService$MRClientProtocolHandler.verifyAndGetJob(MRClientService.java:191)
>       at 
> org.apache.hadoop.mapreduce.v2.app.client.MRClientService$MRClientProtocolHandler.getJobReport(MRClientService.java:233)
>       at 
> org.apache.hadoop.mapreduce.v2.api.impl.pb.service.MRClientProtocolPBServiceImpl.getJobReport(MRClientProtocolPBServiceImpl.java:122)
>       at 
> org.apache.hadoop.yarn.proto.MRClientProtocol$MRClientProtocolService$2.callBlockingMethod(MRClientProtocol.java:275)
>       at 
> org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:585)
>       at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:928)
>       at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2013)
>       at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2009)
>       at 
> java.security.AccessController.doPrivileged(AccessController.java:366)
>       at javax.security.auth.Subject.doAs(Subject.java:572)
>       at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1567)
>       at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2007)

This message was sent by Atlassian JIRA

Reply via email to