[jira] [Resolved] (MAPREDUCE-3623) Authorization of NM <=> RM with simple authentication mistakenly attempts kerberos when yarn.nodemanager.principal is defined

["Omkar Vinit Joshi (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/MAPREDUCE-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Omkar Vinit Joshi resolved MAPREDUCE-3623.
------------------------------------------

          Resolution: Duplicate
    Target Version/s: 2.0.0-alpha, 0.23.3, 3.0.0  (was: 0.23.3, 2.0.0-alpha, 3.0.0)

Thanks [~vinodkv]. This is occurring because the nodemanager service was not able to parse ${HADOOP_YARN_USER} present in hadoop-policy.xml. Replacing it to either * (means everyone is allowed) or the user running nodemanager solves the issue. Marking this ticket as duplicate and closing it.
                
> Authorization of NM <=> RM with simple authentication mistakenly attempts kerberos when yarn.nodemanager.principal is defined
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MAPREDUCE-3623
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3623
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: mrv2
>    Affects Versions: 0.23.1, 0.24.0
>            Reporter: Jonathan Eagles
>            Assignee: Omkar Vinit Joshi
>
> MAPREDUCE-3617 addresses the default values of yarn.nodemanager.principal and yarn.resourcemanager.principal
> I have enabled authorization with simple authentication. NM <=> RM still attempts kerberos authentication. If simple authentication is enabled yarn.nodemanager.principal and yarn.resourcemanager.principal values should be ignored and simple authentication should be used.
> {code:xml|title=core-site.xml snippet}
>   <property>
>     <name>hadoop.security.authentication</name>
>     <value>simple</value>
>     <description></description>
>   </property>
>   <property>
>     <name>hadoop.security.authorization</name>
>     <value>true</value>
>     <description></description>
>   </property>
> {code}
> {code:xml|title=yarn-site.xml snippet}
> <property>
>   <description>The Kerberos principal for the resource manager.</description>
>   <name>yarn.resourcemanager.principal</name>
>   <value>rm/sightbusy-lx@LOCALHOST</value>
> </property>
> <property>
>   <description>The kerberos principal for the node manager.</description>
>   <name>yarn.nodemanager.principal</name>
>   <value>nm/sightbusy-lx@LOCALHOST</value>
> </property>
> {code}
> {noformat:title=nodemanager.out snippet}
> 2012-01-03 16:40:00,793 INFO  nodemanager.NodeStatusUpdaterImpl (NodeStatusUpdaterImpl.java:registerWithRM(176)) - Connected to ResourceManager at machine.example.com:8025
> 2012-01-03 16:40:00,845 ERROR service.CompositeService (CompositeService.java:start(72)) - Error starting services org.apache.hadoop.yarn.server.nodemanager.NodeManager
> org.apache.avro.AvroRuntimeException: java.lang.reflect.UndeclaredThrowableException
>     at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.start(NodeStatusUpdaterImpl.java:149)
>     at org.apache.hadoop.yarn.service.CompositeService.start(CompositeService.java:68)
>     at org.apache.hadoop.yarn.server.nodemanager.NodeManager.start(NodeManager.java:167)
>     at org.apache.hadoop.yarn.server.nodemanager.NodeManager.main(NodeManager.java:242)
> Caused by: java.lang.reflect.UndeclaredThrowableException
>     at org.apache.hadoop.yarn.server.api.impl.pb.client.ResourceTrackerPBClientImpl.registerNodeManager(ResourceTrackerPBClientImpl.java:66)
>     at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.registerWithRM(NodeStatusUpdaterImpl.java:182)
>     at org.apache.hadoop.yarn.server.nodemanager.NodeStatusUpdaterImpl.start(NodeStatusUpdaterImpl.java:145)
>     ... 3 more
> Caused by: com.google.protobuf.ServiceException: org.apache.hadoop.security.authorize.AuthorizationException: User user (auth:SIMPLE) is not authorized for protocol interface org.apache.hadoop.yarn.proto.ResourceTracker$ResourceTrackerService$BlockingInterface, expected client Kerberos principal is nm/sightbusy-lx@LOCALHOST
>     at org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:139)
>     at $Proxy24.registerNodeManager(Unknown Source)
>     at org.apache.hadoop.yarn.server.api.impl.pb.client.ResourceTrackerPBClientImpl.registerNodeManager(ResourceTrackerPBClientImpl.java:59)
>     ... 5 more
> Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User user (auth:SIMPLE) is not authorized for protocol interface org.apache.hadoop.yarn.proto.ResourceTracker$ResourceTrackerService$BlockingInterface, expected client Kerberos principal is nm/sightbusy-lx@LOCALHOST
>     at org.apache.hadoop.ipc.Client.call(Client.java:1085)
>     at org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:136)
>     ... 7 more
> 2012-01-03 16:40:00,846 WARN  event.AsyncDispatcher (AsyncDispatcher.java:run(78)) - AsyncDispatcher thread interrupted
> java.lang.InterruptedException
>     at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:1961)
>     at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1996)
>     at java.util.concurrent.LinkedBlockingQueue.take(LinkedBlockingQueue.java:399)
>     at org.apache.hadoop.yarn.event.AsyncDispatcher$1.run(AsyncDispatcher.java:76)
>     at java.lang.Thread.run(Thread.java:662)
> 2012-01-03 16:40:00,846 INFO  service.AbstractService (AbstractService.java:stop(75)) - Service:Dispatcher is stopped.
> {noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira