[jira] [Updated] (MAPREDUCE-4329) security.task.umbilical.protocol.acl should not be configurable

[Sho Shimauchi (JIRA)]

     [ 
https://issues.apache.org/jira/browse/MAPREDUCE-4329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sho Shimauchi updated MAPREDUCE-4329:
-------------------------------------

    Attachment: MAPREDUCE-4329.txt

replace the comment on MapReducePolicyProvider to Harsh's one.
                
> security.task.umbilical.protocol.acl should not be configurable
> ---------------------------------------------------------------
>
>                 Key: MAPREDUCE-4329
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-4329
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.3
>            Reporter: Sho Shimauchi
>            Assignee: Sho Shimauchi
>         Attachments: MAPREDUCE-4329.txt, MAPREDUCE-4329.txt
>
>
> On running MapReduce job, username is changed to jobid and the job fails.
> Exception is as follows:
> {code}
> 2012-06-08 19:39:26,555 WARN 
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying 
> to get groups for user job_201206081934_0002
> org.apache.hadoop.util.Shell$ExitCodeException: id: job_201206081934_0002: no 
> such user
>         at org.apache.hadoop.util.Shell.runCommand(Shell.java:255)
>         at org.apache.hadoop.util.Shell.run(Shell.java:182)
>         at 
> org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:375)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:461)
>         at org.apache.hadoop.util.Shell.execCommand(Shell.java:444)
>         at 
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:68)
>         at 
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:45)
>         at org.apache.hadoop.security.Groups.getGroups(Groups.java:79)
>         at 
> org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1026)
>         at 
> org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:141)
>         at 
> org.apache.hadoop.security.authorize.ServiceAuthorizationManager.authorize(ServiceAuthorizationManager.java:99)
>         at org.apache.hadoop.ipc.Server.authorize(Server.java:1659)
>         at 
> org.apache.hadoop.ipc.Server$Connection.authorizeConnection(Server.java:1320)
>         at 
> org.apache.hadoop.ipc.Server$Connection.processOneRpc(Server.java:1286)
>         at 
> org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1182)
>         at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537)
>         at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
>         at java.lang.Thread.run(Thread.java:680)
> {code}
> This issue can be reproduced by following steps:
> 1. set hadoop.security.authorization = true in core-site.xml
> {code}
>   <property>
>     <name>hadoop.security.authorization</name>
>     <value>true</value>
>   </property>
> {code}
> 2. set any value except for '*' to security.task.umbilical.protocol.acl in 
> hadoop-policy.xml
> {code}
>   <property>
>     <name>security.task.umbilical.protocol.acl</name>
>     <value>sho sho</value>
>     <description>ACL for TaskUmbilicalProtocol, used by the map and reduce 
>     tasks to communicate with the parent tasktracker. 
>     The ACL is a comma-separated list of user and group names. The user and 
>     group list is separated by a blank. For e.g. "alice,bob users,wheel". 
>     A special value of "*" means all users are allowed.</description>
>   </property>
> {code}
> 3. run any mapreduce job.
> h4. Code Analysis
> ./src/mapred/org/apache/hadoop/mapred/Child.java:102-118
> {code}
>     UserGroupInformation taskOwner 
>      = 
> UserGroupInformation.createRemoteUser(firstTaskid.getJobID().toString());
>     taskOwner.addToken(jt);
>     
>     // Set the credentials
>     defaultConf.setCredentials(credentials);
>     
>     final TaskUmbilicalProtocol umbilical = 
>       taskOwner.doAs(new PrivilegedExceptionAction<TaskUmbilicalProtocol>() {
>         @Override
>         public TaskUmbilicalProtocol run() throws Exception {
>           return 
> (TaskUmbilicalProtocol)RPC.getProxy(TaskUmbilicalProtocol.class,
>               TaskUmbilicalProtocol.versionID,
>               address,
>               defaultConf);
>         }
>     });
> {code}
> This code indicates that TaskUmbilicalProtocol uses jobid as username.
> This code came from MAPREDUCE-1457. 
> https://issues.apache.org/jira/browse/MAPREDUCE-1457
> Devaraj said as follows in the JIRA:
> {quote}
> 2) In Child.java, the task authenticates to the TaskTracker using the 
> jobtoken. The username in the jobtoken is jobId. The doAs block done using 
> taskOwner is required so that the username mentioned in the token and the one 
> doing the operation matches.
> {quote}
> We can't change security.task.umbilical.protocol.acl and should always be '*' 
> .
> TaskUmbilicalProtocol should be removed from MapReducePolicyProvider to 
> disable security.task.umbilical.protocol.acl.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira