You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2019/02/07 10:32:00 UTC

[jira] [Commented] (AMBARI-25139) Yarn Capacity Scheduler Authorization issues due to AuthToLocal Rules

    [ https://issues.apache.org/jira/browse/AMBARI-25139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16762553#comment-16762553 ] 

Hudson commented on AMBARI-25139:
---------------------------------

SUCCESS: Integrated in Jenkins build Ambari-trunk-Commit #10457 (See [https://builds.apache.org/job/Ambari-trunk-Commit/10457/])
AMBARI-25139 Yarn Capacity Scheduler Authorization issues due to (m.magyar3: [https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=2c0687ab1cb8a4ecb35715c8b632a764003c070b])
* (edit) contrib/views/capacity-scheduler/src/main/java/org/apache/ambari/view/capacityscheduler/ConfigurationService.java


> Yarn Capacity Scheduler Authorization issues due to AuthToLocal Rules
> ---------------------------------------------------------------------
>
>                 Key: AMBARI-25139
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25139
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-views
>    Affects Versions: 2.6.2, 2.7.3
>            Reporter: Akhil S Naik
>            Assignee: Akhil S Naik
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> Yarn Capacity Scheduler is having issues with authorization if AuthToLocal rules are enabled.
> Problem Statement : I am logging as LDAP User synced with ambari with my username contains spaces : For example : 'Akhil Naik' . the User is a Ambari Admin user.
> In Core-site.xml the AuthToLocal rules are set :
> {code:java}
> RULE:[1:$1](. *.*)s/ /_/g
> {code}
> it will display :
> *"Warning! You do not have permission to edit the Capacity Scheduler configuration. Contact your Cluster administrator."*
> and logs state :
> {code:java}
> The authenticated user is not authorized to perform the requested operation28 Jan 2019 17:56:03,488 ERROR [ambari-client-thread-277] [CAPACITY-SCHEDULER 1.0.0 AUTO_CS_INSTANCE] ConfigurationService:333 - Got Error response from url : /api/v1/users/chitrartha_sur?privileges/PrivilegeInfo/permission_name=AMBARI.ADMINISTRATOR|(privileges/PrivilegeInfo/permission_name.in(CLUSTER.ADMINISTRATOR,CLUSTER.OPERATOR)&privileges/PrivilegeInfo/cluster_name=v01eaedl). Response : {
>   "status" : 403,
>   "message" : "The authenticated user is not authorized to perform the requested operation"
> }
> org.apache.ambari.view.AmbariHttpException: {
>   "status" : 403,
>   "message" : "The authenticated user is not authorized to perform the requested operation"
> }
>         at org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:135)
>         at org.apache.ambari.server.view.ViewAmbariStreamProvider.getInputStream(ViewAmbariStreamProvider.java:123)
>         at org.apache.ambari.server.view.ViewAmbariStreamProvider.readFrom(ViewAmbariStreamProvider.java:85)
>         at org.apache.ambari.view.utils.ambari.AmbariApi.readFromAmbari(AmbariApi.java:130)
>         at org.apache.ambari.view.capacityscheduler.ConfigurationService.isOperator(ConfigurationService.java:322)
>         at org.apache.ambari.view.capacityscheduler.ConfigurationService.getPrivilege(ConfigurationService.java:239)
> {code}
> Root cause: 
> Currently After Fix of : https://issues.apache.org/jira/browse/AMBARI-14503 , I see Ambari Server is Converting AuthToLocal Changes for Usernames(Code : https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/ambari-server/src/main/java/org/apache/ambari/server/view/ViewContextImpl.java#L233 )
> and Yarn capacity Scheulder is calling this method (https://github.com/apache/ambari/blob/5460e8952729854f1c032a781c9a8de608ba4475/contrib/views/capacity-scheduler/src/main/java/org/apache/ambari/view/capacityscheduler/ConfigurationService.java#L319) , Ambari Server rejects the Request Stating No Permission.
> *Ideally Yarn Capacity Scheduler should be calling : context. getLoggedinUser() instead of context. getUsername()*



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)