You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@tez.apache.org by "Subroto Sanyal (JIRA)" <ji...@apache.org> on 2014/10/06 18:08:33 UTC
[jira] [Updated] (TEZ-1640) Unable to achieve Secured Impersonation
[ https://issues.apache.org/jira/browse/TEZ-1640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Subroto Sanyal updated TEZ-1640:
--------------------------------
Description:
My client is running with user "subroto" and following are the entries in the xmls:
{code:xml|title=core-site.xml|borderStyle=solid}
<property>
<name>hadoop.proxyuser.subroto.groups</name>
<value>impersonatedgroup</value>
</property>
<property>
<name>hadoop.proxyuser.subroto.hosts</name>
<value>*</value>
</property>
{code}
I have a user _qa_ which belongs to the the group _impersonatedgroup_ .
Following is the code to launch the DAGAppMaster
{code:java|title=TezClientWrapper.java|borderStyle=solid}
TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new PrivilegedExceptionAction<TezClient>() {
@Override
public TezClient run() throws Exception {
final TezConfiguration tezConf = createTezConf(conf, jobContext);
if (amSpecificProperties != null) {
applyAmSpecificProperties(tezConf, amSpecificProperties);
}
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
LOG.info("Current User:" + currentUser);
File tokenFile = new File(System.getProperty("java.io.tmpdir"), tezSessionName.replaceAll("[^a-zA-Z0-9]", ""));
LOG.info("Token File:" + tokenFile.getAbsolutePath());
currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()), conf);
tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, tokenFile.getAbsolutePath());
TezClient tezClient = TezClient.create(tezSessionName, tezConf, createSession, localResourceMap, currentUser.getCredentials());
tezClient.setAppMasterCredentials(currentUser.getCredentials());
tezClient.start();
tezClient.waitTillReady();
return tezClient;
}
});{code}
The logs so obtained from this piece of code execution is:
{noformat}Current User:qa (auth:PROXY) via subroto@EC2.INTERNAL (auth:KERBEROS){noformat}
The code piece fails in: _tezClient.waitTillReady();_
>From the Resource Manager UI I can see that a application is launched with user _qa_.
Failure stack-trace:
{noformat}
(UserGroupInformation.java:1551) - PriviledgedActionException as:qa (auth:SIMPLE) cause:java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
Failed to retrieve AM Status via proxy
com.google.protobuf.ServiceException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "ip-10-178-144-254/10.178.144.254"; destination host is: "ip-10-187-33-206":56660;
at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216)
at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source)
at org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522)
at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597)
at test.app.TezClientWrapper$1.run(TezClientFacade.java:146)
at test.app.TezClientWrapper$1.run(TezClientFacade.java:130)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
at test.app.Security.doAs(Security.java:65)
{noformat}
was:
My client is running with user "subroto" and following are the entries in the xmls:
{code:xml|title=core-site.xml|borderStyle=solid}
<property>
<name>hadoop.proxyuser.subroto.groups</name>
<value>impersonatedgroup</value>
</property>
<property>
<name>hadoop.proxyuser.subroto.hosts</name>
<value>*</value>
</property>
{code}
I have a user _qa_ which belongs to the the group _impersonatedgroup_ .
Following is the code to launch the DAGAppMaster
{code:java|title=TezClientWrapper.java|borderStyle=solid}
TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new PrivilegedExceptionAction<TezClient>() {
@Override
public TezClient run() throws Exception {
final TezConfiguration tezConf = createTezConf(conf, datameerJobContext);
if (amSpecificProperties != null) {
applyAmSpecificProperties(tezConf, amSpecificProperties);
}
UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
LOG.info("Current User:" + currentUser);
File tokenFile = new File(System.getProperty("java.io.tmpdir"), tezSessionName.replaceAll("[^a-zA-Z0-9]", ""));
LOG.info("Token File:" + tokenFile.getAbsolutePath());
currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()), conf);
tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, tokenFile.getAbsolutePath());
TezClient tezClient = TezClient.create(tezSessionName, tezConf, createSession, localResourceMap, currentUser.getCredentials());
tezClient.setAppMasterCredentials(currentUser.getCredentials());
tezClient.start();
tezClient.waitTillReady();
return tezClient;
}
});{code}
The logs so obtained from this piece of code execution is:
{noformat}Current User:qa (auth:PROXY) via subroto@EC2.INTERNAL (auth:KERBEROS){noformat}
The code piece fails in: _tezClient.waitTillReady();_
>From the Resource Manager UI I can see that a application is launched with user _qa_.
Failure stack-trace:
{noformat}
(UserGroupInformation.java:1551) - PriviledgedActionException as:qa (auth:SIMPLE) cause:java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
Failed to retrieve AM Status via proxy
com.google.protobuf.ServiceException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "ip-10-178-144-254/10.178.144.254"; destination host is: "ip-10-187-33-206":56660;
at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216)
at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source)
at org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522)
at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597)
at test.app.TezClientWrapper$1.run(TezClientFacade.java:146)
at test.app.TezClientWrapper$1.run(TezClientFacade.java:130)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
at test.app.Security.doAs(Security.java:65)
{noformat}
> Unable to achieve Secured Impersonation
> ---------------------------------------
>
> Key: TEZ-1640
> URL: https://issues.apache.org/jira/browse/TEZ-1640
> Project: Apache Tez
> Issue Type: Bug
> Affects Versions: 0.5.0
> Reporter: Subroto Sanyal
>
> My client is running with user "subroto" and following are the entries in the xmls:
> {code:xml|title=core-site.xml|borderStyle=solid}
> <property>
> <name>hadoop.proxyuser.subroto.groups</name>
> <value>impersonatedgroup</value>
> </property>
> <property>
> <name>hadoop.proxyuser.subroto.hosts</name>
> <value>*</value>
> </property>
> {code}
> I have a user _qa_ which belongs to the the group _impersonatedgroup_ .
> Following is the code to launch the DAGAppMaster
> {code:java|title=TezClientWrapper.java|borderStyle=solid}
> TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new PrivilegedExceptionAction<TezClient>() {
> @Override
> public TezClient run() throws Exception {
> final TezConfiguration tezConf = createTezConf(conf, jobContext);
> if (amSpecificProperties != null) {
> applyAmSpecificProperties(tezConf, amSpecificProperties);
> }
> UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
> LOG.info("Current User:" + currentUser);
> File tokenFile = new File(System.getProperty("java.io.tmpdir"), tezSessionName.replaceAll("[^a-zA-Z0-9]", ""));
> LOG.info("Token File:" + tokenFile.getAbsolutePath());
> currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()), conf);
> tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, tokenFile.getAbsolutePath());
> TezClient tezClient = TezClient.create(tezSessionName, tezConf, createSession, localResourceMap, currentUser.getCredentials());
> tezClient.setAppMasterCredentials(currentUser.getCredentials());
> tezClient.start();
> tezClient.waitTillReady();
> return tezClient;
> }
> });{code}
> The logs so obtained from this piece of code execution is:
> {noformat}Current User:qa (auth:PROXY) via subroto@EC2.INTERNAL (auth:KERBEROS){noformat}
> The code piece fails in: _tezClient.waitTillReady();_
> From the Resource Manager UI I can see that a application is launched with user _qa_.
> Failure stack-trace:
> {noformat}
> (UserGroupInformation.java:1551) - PriviledgedActionException as:qa (auth:SIMPLE) cause:java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
> Failed to retrieve AM Status via proxy
> com.google.protobuf.ServiceException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "ip-10-178-144-254/10.178.144.254"; destination host is: "ip-10-187-33-206":56660;
> at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216)
> at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source)
> at org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522)
> at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597)
> at test.app.TezClientWrapper$1.run(TezClientFacade.java:146)
> at test.app.TezClientWrapper$1.run(TezClientFacade.java:130)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:396)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
> at test.app.Security.doAs(Security.java:65)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)