[ https://issues.apache.org/jira/browse/MAPREDUCE-4329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sho Shimauchi updated MAPREDUCE-4329: ------------------------------------- Attachment: MAPREDUCE-4329.txt replace the comment on MapReducePolicyProvider to Harsh's one. > security.task.umbilical.protocol.acl should not be configurable > --------------------------------------------------------------- > > Key: MAPREDUCE-4329 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-4329 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security > Affects Versions: 1.0.3 > Reporter: Sho Shimauchi > Assignee: Sho Shimauchi > Attachments: MAPREDUCE-4329.txt, MAPREDUCE-4329.txt > > > On running MapReduce job, username is changed to jobid and the job fails. > Exception is as follows: > {code} > 2012-06-08 19:39:26,555 WARN > org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying > to get groups for user job_201206081934_0002 > org.apache.hadoop.util.Shell$ExitCodeException: id: job_201206081934_0002: no > such user > at org.apache.hadoop.util.Shell.runCommand(Shell.java:255) > at org.apache.hadoop.util.Shell.run(Shell.java:182) > at > org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:375) > at org.apache.hadoop.util.Shell.execCommand(Shell.java:461) > at org.apache.hadoop.util.Shell.execCommand(Shell.java:444) > at > org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:68) > at > org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:45) > at org.apache.hadoop.security.Groups.getGroups(Groups.java:79) > at > org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1026) > at > org.apache.hadoop.security.authorize.AccessControlList.isUserAllowed(AccessControlList.java:141) > at > org.apache.hadoop.security.authorize.ServiceAuthorizationManager.authorize(ServiceAuthorizationManager.java:99) > at org.apache.hadoop.ipc.Server.authorize(Server.java:1659) > at > org.apache.hadoop.ipc.Server$Connection.authorizeConnection(Server.java:1320) > at > org.apache.hadoop.ipc.Server$Connection.processOneRpc(Server.java:1286) > at > org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1182) > at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537) > at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:680) > {code} > This issue can be reproduced by following steps: > 1. set hadoop.security.authorization = true in core-site.xml > {code} > <property> > <name>hadoop.security.authorization</name> > <value>true</value> > </property> > {code} > 2. set any value except for '*' to security.task.umbilical.protocol.acl in > hadoop-policy.xml > {code} > <property> > <name>security.task.umbilical.protocol.acl</name> > <value>sho sho</value> > <description>ACL for TaskUmbilicalProtocol, used by the map and reduce > tasks to communicate with the parent tasktracker. > The ACL is a comma-separated list of user and group names. The user and > group list is separated by a blank. For e.g. "alice,bob users,wheel". > A special value of "*" means all users are allowed.</description> > </property> > {code} > 3. run any mapreduce job. > h4. Code Analysis > ./src/mapred/org/apache/hadoop/mapred/Child.java:102-118 > {code} > UserGroupInformation taskOwner > = > UserGroupInformation.createRemoteUser(firstTaskid.getJobID().toString()); > taskOwner.addToken(jt); > > // Set the credentials > defaultConf.setCredentials(credentials); > > final TaskUmbilicalProtocol umbilical = > taskOwner.doAs(new PrivilegedExceptionAction<TaskUmbilicalProtocol>() { > @Override > public TaskUmbilicalProtocol run() throws Exception { > return > (TaskUmbilicalProtocol)RPC.getProxy(TaskUmbilicalProtocol.class, > TaskUmbilicalProtocol.versionID, > address, > defaultConf); > } > }); > {code} > This code indicates that TaskUmbilicalProtocol uses jobid as username. > This code came from MAPREDUCE-1457. > https://issues.apache.org/jira/browse/MAPREDUCE-1457 > Devaraj said as follows in the JIRA: > {quote} > 2) In Child.java, the task authenticates to the TaskTracker using the > jobtoken. The username in the jobtoken is jobId. The doAs block done using > taskOwner is required so that the username mentioned in the token and the one > doing the operation matches. > {quote} > We can't change security.task.umbilical.protocol.acl and should always be '*' > . > TaskUmbilicalProtocol should be removed from MapReducePolicyProvider to > disable security.task.umbilical.protocol.acl. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira