You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Rohith Sharma K S (JIRA)" <ji...@apache.org> on 2018/07/16 05:25:00 UTC

[jira] [Resolved] (YARN-8539) TimelineWebService#getUser null leads to empty entities list

     [ https://issues.apache.org/jira/browse/YARN-8539?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rohith Sharma K S resolved YARN-8539.
-------------------------------------
    Resolution: Invalid

[~shenyinjie] I believe you are facing this issue in non-secure cluster by enabling Acls. So this is issue with your cluster set up which doesn't contains proper filters to get user names. You should configure hadoop.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer in core-site.xml and use the REST API with query parameter i.e _?user.name=shenyinjie_. This should solve your issue

I am closing the JIRA as invalid. If you still couldn't achieve it, feel free to reopen and discuss it.

> TimelineWebService#getUser null leads to empty entities list
> ------------------------------------------------------------
>
>                 Key: YARN-8539
>                 URL: https://issues.apache.org/jira/browse/YARN-8539
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineservice
>            Reporter: Shen Yinjie
>            Priority: Major
>
> When we integrate tez-ui with timeline server and set yarn.acl.enabled=true. tez-ui will invoke the timeline rest ** interface(ws/v1/timeline/TEZ_DAG_ID) to get all dags . But tez-ui shows "no records available" .
> after some digging, I find when tez-ui invoke ".../ws/v1/timeline/TEZ_DAG_ID". TimelineWebService#getUser(HttpServletRequest req) returns callerUgi = null
> In TimelineACLsManager#checkAccess()
> {code:java}
> ......
> if (callerUGI != null
> && (adminAclsManager.isAdmin(callerUGI) ||
> callerUGI.getShortUserName().equals(owner) ||
> domainACL.isUserAllowed(callerUGI))) {
> return true;
> }
> return false;
> }
> {code}
> Finally, Tez ui get nothing because of couldn't pass this checkAccess().
> I also refer to the similar code in RMWebServices
> {code} protected Boolean hasAccess(RMApp app, HttpServletRequest hsr) {
>  // Check for the authorization.
>  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
> ......
>  if (callerUGI != null
>  && !(this.rm.getApplicationACLsManager().checkAccess(callerUGI,
>  ApplicationAccessType.VIEW_APP, app.getUser(),
>  app.getApplicationId())
>  || this.rm.getQueueACLsManager().checkAccess(callerUGI,
>  QueueACL.ADMINISTER_QUEUE, app, hsr.getRemoteAddr(),
>  forwardedAddresses))) {
>  return false;
>  }
>  return true;
>  }
> {code}
>  
> when callerUgi= null, hasAcces() returns true.
> So , I made a similar fix for TimelineWebServices.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org