[ https://issues.apache.org/jira/browse/TEZ-1640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Subroto Sanyal updated TEZ-1640: -------------------------------- Attachment: client_log.txt app_master_syslog.txt hi [~bikassaha], Attached the client and app master log. My client run as _subroto_ and I start the _DagAppmaster_ (TezClient) as _qa_ (via the UGI.createProxyUser code). I can see that the _DagAppmaster_ is running as user _qa_ on _ResourceManager_ UI. _qa_ invokes _waitTillReady_ on _TezClient_ and ends up with the exceptions. > Unable to achieve Secured Impersonation > --------------------------------------- > > Key: TEZ-1640 > URL: https://issues.apache.org/jira/browse/TEZ-1640 > Project: Apache Tez > Issue Type: Bug > Affects Versions: 0.5.0 > Reporter: Subroto Sanyal > Attachments: app_master_syslog.txt, client_log.txt > > > My client is running with user "subroto" and following are the entries in the > xmls: > {code:xml|title=core-site.xml|borderStyle=solid} > <property> > <name>hadoop.proxyuser.subroto.groups</name> > <value>impersonatedgroup</value> > </property> > <property> > <name>hadoop.proxyuser.subroto.hosts</name> > <value>*</value> > </property> > {code} > I have a user _qa_ which belongs to the the group _impersonatedgroup_ . > Following is the code to launch the DAGAppMaster > {code:java|title=TezClientWrapper.java|borderStyle=solid} > TezClient tezClient = SecureGridMode.executePossiblyImpersonated(conf, new > PrivilegedExceptionAction<TezClient>() { > @Override > public TezClient run() throws Exception { > final TezConfiguration tezConf = createTezConf(conf, > jobContext); > if (amSpecificProperties != null) { > applyAmSpecificProperties(tezConf, > amSpecificProperties); > } > UserGroupInformation currentUser = > UserGroupInformation.getCurrentUser(); > LOG.info("Current User:" + currentUser); > File tokenFile = new > File(System.getProperty("java.io.tmpdir"), > tezSessionName.replaceAll("[^a-zA-Z0-9]", "")); > LOG.info("Token File:" + tokenFile.getAbsolutePath()); > > currentUser.getCredentials().writeTokenStorageFile(UriUtil.toPath(tokenFile.getAbsoluteFile()), > conf); > tezConf.set(TezConfiguration.TEZ_CREDENTIALS_PATH, > tokenFile.getAbsolutePath()); > TezClient tezClient = TezClient.create(tezSessionName, > tezConf, createSession, localResourceMap, currentUser.getCredentials()); > > tezClient.setAppMasterCredentials(currentUser.getCredentials()); > tezClient.start(); > tezClient.waitTillReady(); > return tezClient; > } > });{code} > The logs so obtained from this piece of code execution is: > {noformat}Current User:qa (auth:PROXY) via subroto@EC2.INTERNAL > (auth:KERBEROS){noformat} > The code piece fails in: _tezClient.waitTillReady();_ > From the Resource Manager UI I can see that a application is launched with > user _qa_. > Failure stack-trace: > {noformat} > (UserGroupInformation.java:1551) - PriviledgedActionException as:qa > (auth:SIMPLE) cause:java.io.IOException: > org.apache.hadoop.security.AccessControlException: Client cannot authenticate > via:[TOKEN, KERBEROS] > Failed to retrieve AM Status via proxy > com.google.protobuf.ServiceException: java.io.IOException: Failed on local > exception: java.io.IOException: > org.apache.hadoop.security.AccessControlException: Client cannot authenticate > via:[TOKEN, KERBEROS]; Host Details : local host is: > "ip-10-178-144-254/10.178.144.254"; destination host is: > "ip-10-187-33-206":56660; > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216) > at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source) > at > org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:522) > at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:597) > at test.app.TezClientWrapper$1.run(TezClientFacade.java:146) > at test.app.TezClientWrapper$1.run(TezClientFacade.java:130) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:396) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548) > at test.app.Security.doAs(Security.java:65) > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)