You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mapreduce-dev@hadoop.apache.org by "Thomas Graves (Created) (JIRA)" <ji...@apache.org> on 2011/11/16 22:01:51 UTC
[jira] [Created] (MAPREDUCE-3417) job access controls let invalid
user see job info via web ui when they shouldn't be able to
job access controls let invalid user see job info via web ui when they shouldn't be able to
-------------------------------------------------------------------------------------------
Key: MAPREDUCE-3417
URL: https://issues.apache.org/jira/browse/MAPREDUCE-3417
Project: Hadoop Map/Reduce
Issue Type: Bug
Components: mrv2
Affects Versions: 0.23.0
Reporter: Thomas Graves
Priority: Critical
tested with security on, no filters defined for httpserver, job acls set so that only I could view/modify the job. Then went to the web ui to app master and job history server and both allowed me to view the job details. The webui shows the user "webuser". The RM properly rejected my request although it was using user "Dr.Who".
The exception shown in the log is:
11/11/16 18:58:53 INFO mapred.JobACLsManager: job checkAccess user is: webuser
11/11/16 18:58:53 WARN security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user webuser
org.apache.hadoop.util.Shell$ExitCodeException: id: webuser: No such user
at org.apache.hadoop.util.Shell.runCommand(Shell.java:261)
at org.apache.hadoop.util.Shell.run(Shell.java:188)
at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:381)
at org.apache.hadoop.util.Shell.execCommand(Shell.java:467)
at org.apache.hadoop.util.Shell.execCommand(Shell.java:450)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:86)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:55)
at org.apache.hadoop.security.Groups.getGroups(Groups.java:88)
at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1043)
at org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:221)
at org.apache.hadoop.mapred.JobACLsManager.checkAccess(JobACLsManager.java:103)
at org.apache.hadoop.mapreduce.v2.hs.CompletedJob.checkAccess(CompletedJob.java:325)
at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.checkAccess(AppController.java:292)
at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.requireJob(AppController.java:313)
at org.apache.hadoop.mapreduce.v2.app.webapp.AppController.job(AppController.java:97)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira