You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Tarun Parimi (JIRA)" <ji...@apache.org> on 2018/05/30 17:33:00 UTC

[jira] [Created] (AMBARI-23984) ResourceManager Web UI alert leads to frequent group mapping lookups in RM

Tarun Parimi created AMBARI-23984:
-------------------------------------

             Summary: ResourceManager Web UI alert leads to frequent group mapping lookups in RM 
                 Key: AMBARI-23984
                 URL: https://issues.apache.org/jira/browse/AMBARI-23984
             Project: Ambari
          Issue Type: Bug
          Components: alerts
    Affects Versions: 2.6.0
            Reporter: Tarun Parimi


In YARN ResourceManager(RM)  log, I see group mapping lookup performed for HTTP user every minute.
{code:java}
2018-05-23 10:47:22,537 WARN security.ShellBasedUnixGroupsMapping (ShellBasedUnixGroupsMapping.java:getUnixGroups(87)) - got exception trying to get groups for user HTTP: id: HTTP: no such user 
2018-05-23 10:48:22,228 WARN security.ShellBasedUnixGroupsMapping (ShellBasedUnixGroupsMapping.java:getUnixGroups(87)) - got exception trying to get groups for user HTTP: id: HTTP: no such user 
2018-05-23 10:49:22,330 WARN security.ShellBasedUnixGroupsMapping (ShellBasedUnixGroupsMapping.java:getUnixGroups(87)) - got exception trying to get groups for user HTTP: id: HTTP: no such user 
{code}
Identified that it is due to *ResourceManager Web UI* alert due to the reasons mentioned in AMBARI-23026 .

But this WARN message is not present in Namenode logs even though *NameNode Web UI* alert is configured with the same HTTP principal.

The difference in RM is that the *{\{yarn-site/yarn.resourcemanager.webapp.address}}* configured will by default fetch the RM applications page. To serve this page, the RM has to fetch all its applications (default:10000) and performs ACL checks  on whether the user requesting the page can view the application.

So requesting the default page of RM every one minute can result in group mapping lookups and also multiple entries in Ranger audit logs if Ranger Yarn Plugin is configured.

To avoid these unnecessary overheads, we should change the http/s uri property to something like  "\{{yarn-site/yarn.resourcemanager.webapp.address}}/cluster/cluster". This url will not need any group mapping lookups or ACL checks. This will avoid the above problems and the http request done for the alert will be much faster.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)