You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@tez.apache.org by "Bikas Saha (JIRA)" <ji...@apache.org> on 2014/10/08 22:02:36 UTC
[jira] [Commented] (TEZ-1640) Unable to achieve Secured
Impersonation
[ https://issues.apache.org/jira/browse/TEZ-1640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14164064#comment-14164064 ]
Bikas Saha commented on TEZ-1640:
---------------------------------
Can you please clarify/confirm the following
Your client runs as foo.
Your client starts TezClient as effective user bar (via the UGI.createProxyUser code).
This causes Tezclient to start the AM as user bar.
AM runs as user bar.
TezClient (running as effective bar) tries to contact the AM running as bar
TezClient gets error.
If the answer is yes to all of the above then please attach the client side and AM logs. Could you please enabled debug logging on both the client and the AM.
> Unable to achieve Secured Impersonation
> ---------------------------------------
>
> Key: TEZ-1640
> URL: https://issues.apache.org/jira/browse/TEZ-1640
> Project: Apache Tez
> Issue Type: Bug
> Affects Versions: 0.5.0
> Reporter: Subroto Sanyal
>
> My client is running with user "subroto" and following are the entries in the xmls:
> {code:xml|title=core-site.xml|borderStyle=solid}
> <property>
> <name>hadoop.proxyuser.subroto.groups</name>
> <value>impersonatedgroup</value>
> </property>
> <property>
> <name>hadoop.proxyuser.subroto.hosts</name>
> <value>*</value>
> </property>
> {code}
> I have a user _qa_ which belongs to the the group _impersonatedgroup_ .
> Following is the code to launch the DAGAppMaster
> {code:java|title=TezClientWrapper.java|borderStyle=solid}
> TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new PrivilegedExceptionAction<TezClient>() {
> @Override
> public TezClient run() throws Exception {
> final TezConfiguration tezConf = createTezConf(conf, jobContext);
> if (amSpecificProperties != null) {
> applyAmSpecificProperties(tezConf, amSpecificProperties);
> }
> UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
> LOG.info("Current User:" + currentUser);
> File tokenFile = new File(System.getProperty("java.io.tmpdir"), tezSessionName.replaceAll("[^a-zA-Z0-9]", ""));
> LOG.info("Token File:" + tokenFile.getAbsolutePath());
> currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()), conf);
> tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, tokenFile.getAbsolutePath());
> TezClient tezClient = TezClient.create(tezSessionName, tezConf, createSession, localResourceMap, currentUser.getCredentials());
> tezClient.setAppMasterCredentials(currentUser.getCredentials());
> tezClient.start();
> tezClient.waitTillReady();
> return tezClient;
> }
> });{code}
> The logs so obtained from this piece of code execution is:
> {noformat}Current User:qa (auth:PROXY) via subroto@EC2.INTERNAL (auth:KERBEROS){noformat}
> The code piece fails in: _tezClient.waitTillReady();_
> From the Resource Manager UI I can see that a application is launched with user _qa_.
> Failure stack-trace:
> {noformat}
> (UserGroupInformation.java:1551) - PriviledgedActionException as:qa (auth:SIMPLE) cause:java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
> Failed to retrieve AM Status via proxy
> com.google.protobuf.ServiceException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "ip-10-178-144-254/10.178.144.254"; destination host is: "ip-10-187-33-206":56660;
> at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216)
> at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source)
> at org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522)
> at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597)
> at test.app.TezClientWrapper$1.run(TezClientFacade.java:146)
> at test.app.TezClientWrapper$1.run(TezClientFacade.java:130)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
> at test.app.Security.doAs(Security.java:65)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)