Hi Bikas, In the method: org.apache.tez.client.TezClientUtils.getAMProxy(Configuration, String, int, Token) a UGI is getting created with name of the current user. I think in this process it ignores all the security things and making the authentication mode as "SIMPLE". I have piece of code which tries to create a TezClient and it keeps throwing the exception:
[anonymous] WARN [2014-08-28 03:37:50.181] [MrPlanRunnerV2] (UserGroupInformation.java:1551) - PriviledgedActionException as:subroto (auth:SIMPLE) cause:java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] [anonymous] INFO [2014-08-28 03:37:50.182] [MrPlanRunnerV2] (TezClient.java:539) - Failed to retrieve AM Status via proxy com.google.protobuf.ServiceException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "domU-12-31-39-0F-74-32/10.193.119.192"; destination host is: "domU-12-31-39-0C-7D-37":59431; at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:216) at com.sun.proxy.$Proxy111.getAMStatus(Unknown Source) at org.apache.tez.client.TezClient.getAppMasterStatus(TezClient.java:532) at org.apache.tez.client.TezClient.waitTillReady(TezClient.java:607) at subroto.tez.TezClusterSession$2.run(TezClusterSession.java:180) I m trying to achieve impersonation. Here user "subroto" is privileged user and the real user is not at all considered by the Tez Code. Request some suggestion on this. On Tue, Aug 19, 2014 at 11:18 PM, Bikas Saha <[email protected]> wrote: > There is nothing special that you need to do if you are already running > secure Map Reduce jobs. The client needs to run in a Kerberized > authenticated context. After that if you are using the built-in library of > inputs/outputs etc then they should be taking care of all the access > credentials for you when using the 0.5 API. I > > > > If you are using 0.4 API to write your job then you may need to use > additional APIs for passing credentials to the application. Look for > credentials in > https://github.com/apache/tez/blob/branch-0.4.0-incubating/tez-mapreduce-examples/src/main/java/org/apache/tez/mapreduce/examples/FilterLinesByWord.java > and also *public* *synchronized* DAG *addURIsForCredentials(*Collection*<* > URI*>* uris*)* > > > > The second method is a shortcut if you are using HDFS files for input. It > obtains credentials for you from a collection of HDFS input URIs. > > > > Bikas > > > > *From:* Subroto Sanyal [mailto:[email protected]] > *Sent:* Tuesday, August 19, 2014 3:30 AM > *To:* [email protected] > *Subject:* Tez with secured hadoop > > > > hi > > > > Tez works on secure hadoop cluster since tez-0.3. > > Is there any documentation available about configuring TezClient to make > it work? > > > > -- > Cheers, > *Subroto Sanyal* > > CONFIDENTIALITY NOTICE > NOTICE: This message is intended for the use of the individual or entity > to which it is addressed and may contain information that is confidential, > privileged and exempt from disclosure under applicable law. If the reader > of this message is not the intended recipient, you are hereby notified that > any printing, copying, dissemination, distribution, disclosure or > forwarding of this communication is strictly prohibited. If you have > received this communication in error, please contact the sender immediately > and delete it from your system. Thank You. -- Cheers, *Subroto Sanyal*
