[ https://issues.apache.org/jira/browse/MAPREDUCE-3668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13185828#comment-13185828 ]
Vinod Kumar Vavilapalli commented on MAPREDUCE-3668: ---------------------------------------------------- A quick fix that comes to mind is to catch and ignore AccessControlExcpetions on the client side, but there is a bigger underlying issue. "job -list" going to each and every AM is not going to scale. As part of MAPREDUCE-3476, I am moving all the per-AM information to "job -status". I am going to work on MAPREDUCE-3476 soon, but if that gets late, we can push the quick fix in. > AccessControlException when running mapred job -list command > ------------------------------------------------------------ > > Key: MAPREDUCE-3668 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-3668 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: client, mrv2, security > Affects Versions: 0.23.1 > Reporter: Jason Lowe > Assignee: Jason Lowe > Priority: Blocker > > If a user tries to examine the status of all jobs running on a secure cluster > the mapred client can fail with an AccessControlException. For example, > submitting two jobs each from a different user then trying to query the > status as the second user can fail like this: > $ mapred job -list all > 12/01/12 20:01:12 WARN conf.Configuration: mapred.used.genericoptionsparser > is deprecated. Instead, use > mapreduce.client.genericoptionsparser.used > Total jobs:2 > JobId State StartTime UserName Queue Priority Maps > Reduces UsedContainers RsvdContainers UsedMem RsvdMem NeededMem AM > info > 12/01/12 20:01:14 INFO mapred.ClientServiceDelegate: Application state is > completed. FinalApplicationStatus=SUCCEEDED. Redirecting to job history server > job_1326396427223_0002 SUCCEEDED 1326398424244 user2 default > NORMAL 2 2 0 0 0M 0M 0M > hostremoved:8088/proxy/application_1326396427223_0002/jobhistory/job/job_1326396427223_2_2 > 12/01/12 20:01:14 INFO mapred.ClientServiceDelegate: Application state is > completed. FinalApplicationStatus=SUCCEEDED. Redirecting to job history server > 12/01/12 20:01:14 WARN mapred.ClientServiceDelegate: Error from remote end: > User user2 cannot perform operation VIEW_JOB on job_1326396427223_0001 > Exception in thread "main" RemoteTrace: > java.security.AccessControlException: User user2 cannot perform operation > VIEW_JOB on job_1326396427223_0001 > at > org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.checkAccess(HistoryClientService.java:293) > at > org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.verifyAndGetJob(HistoryClientService.java:184) > at > org.apache.hadoop.mapreduce.v2.hs.HistoryClientService$MRClientProtocolHandler.getJobReport(HistoryClientService.java:200) > at > org.apache.hadoop.mapreduce.v2.api.impl.pb.service.MRClientProtocolPBServiceImpl.getJobReport(MRClientProtocolPBServiceImpl.java:106) > at > org.apache.hadoop.yarn.proto.MRClientProtocol$MRClientProtocolService$2.callBlockingMethod(MRClientProtocol.java:187) > at > org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Server.call(ProtoOverHadoopRpcEngine.java:344) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:1490) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:1486) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:396) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1157) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:1484) > at Local Trace: > org.apache.hadoop.yarn.exceptions.impl.pb.YarnRemoteExceptionPBImpl: > User user2 cannot perform operation VIEW_JOB on job_1326396427223_0001 > at > org.apache.hadoop.yarn.ipc.ProtoOverHadoopRpcEngine$Invoker.invoke(ProtoOverHadoopRpcEngine.java:151) > at $Proxy10.getJobReport(Unknown Source) > at > org.apache.hadoop.mapreduce.v2.api.impl.pb.client.MRClientProtocolPBClientImpl.getJobReport(MRClientProtocolPBClientImpl.java:104) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at > org.apache.hadoop.mapred.ClientServiceDelegate.invoke(ClientServiceDelegate.java:328) > at > org.apache.hadoop.mapred.ClientServiceDelegate.getJobStatus(ClientServiceDelegate.java:405) > at > org.apache.hadoop.mapred.YARNRunner.getJobStatus(YARNRunner.java:431) > at org.apache.hadoop.mapreduce.Cluster.getJob(Cluster.java:186) > at org.apache.hadoop.mapreduce.tools.CLI.displayJobList(CLI.java:571) > at org.apache.hadoop.mapreduce.tools.CLI.listAllJobs(CLI.java:500) > at org.apache.hadoop.mapreduce.tools.CLI.run(CLI.java:298) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:69) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:83) > at org.apache.hadoop.mapred.JobClient.main(JobClient.java:1209) > The information provided by the command is similar to what is presented on > the ResourceManager web UI, and that page has no security. > Marking this as a blocker since many of our automated acceptance tests use > this command to obtain the status of jobs running in the cluster. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira