You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Yu Gao (JIRA)" <ji...@apache.org> on 2014/08/12 01:08:11 UTC
[jira] [Commented] (YARN-2407) Users are not allowed to view their
own jobs, denied by JobACLsManager
[ https://issues.apache.org/jira/browse/YARN-2407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14093484#comment-14093484 ]
Yu Gao commented on YARN-2407:
------------------------------
After turn on debug, got this in ApplicationMaster log:
DEBUG [IPC Server handler 0 on 36796] org.apache.hadoop.mapred.JobACLsManager: checkAccess job acls, jobOwner: yarn jobacl: VIEW_JOB user: user1
The jobOwner above is incorrect. It should be user1 since it was user1 who submitted the job.
This error is caused by an incorrect implementation in JobImpl, which has defined two
user name fields:
username - user got from system property user.name, which is the container process owner
userName - the value is passed in via JobImpl constructor, which is the end user who has submitted the job
The JobImpl#checkAccess method should have used userName as the job owner, instead of username.
> Users are not allowed to view their own jobs, denied by JobACLsManager
> ----------------------------------------------------------------------
>
> Key: YARN-2407
> URL: https://issues.apache.org/jira/browse/YARN-2407
> Project: Hadoop YARN
> Issue Type: Bug
> Components: applications
> Affects Versions: 2.4.1
> Reporter: Yu Gao
>
> Have a Hadoop 2.4.1 cluster with Yarn ACL enabled, and try to submit jobs as a non-admin user user1. The job could be finished successfully, but the running progress was not displayed correctly on the commad-line, and I got following in the corresponding ApplicationMaster log:
> INFO [IPC Server handler 0 on 56717] org.apache.hadoop.ipc.Server: IPC Server handler 0 on 56717, call org.apache.hadoop.mapreduce.v2.api.MRClientProtocolPB.getJobReport from 9.30.95.26:61024 Call#59 Retry#0
> org.apache.hadoop.security.AccessControlException: User user1 cannot perform operation VIEW_JOB on job_1407456690588_0003
> at org.apache.hadoop.mapreduce.v2.app.client.MRClientService$MRClientProtocolHandler.verifyAndGetJob(MRClientService.java:191)
> at org.apache.hadoop.mapreduce.v2.app.client.MRClientService$MRClientProtocolHandler.getJobReport(MRClientService.java:233)
> at org.apache.hadoop.mapreduce.v2.api.impl.pb.service.MRClientProtocolPBServiceImpl.getJobReport(MRClientProtocolPBServiceImpl.java:122)
> at org.apache.hadoop.yarn.proto.MRClientProtocol$MRClientProtocolService$2.callBlockingMethod(MRClientProtocol.java:275)
> at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:585)
> at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:928)
> at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2013)
> at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2009)
> at java.security.AccessController.doPrivileged(AccessController.java:366)
> at javax.security.auth.Subject.doAs(Subject.java:572)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1567)
> at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2007)
--
This message was sent by Atlassian JIRA
(v6.2#6252)