[ https://issues.apache.org/jira/browse/YARN-8539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16544877#comment-16544877 ]
Rohith Sharma K S commented on YARN-8539: ----------------------------------------- I strongly suspect this could be cluster set up issue. In secure cluster, cluster should contains SPNEGO configured. May be you can upload configurations that could help a little bit. > TimelineWebService#getUser null leads to empty entities list > ------------------------------------------------------------ > > Key: YARN-8539 > URL: https://issues.apache.org/jira/browse/YARN-8539 > Project: Hadoop YARN > Issue Type: Bug > Components: timelineservice > Reporter: Shen Yinjie > Priority: Major > > When we integrate tez-ui with timeline server and set yarn.acl.enabled=true. > tez-ui will invoke the timeline rest ** interface(ws/v1/timeline/TEZ_DAG_ID) > to get all dags . But tez-ui shows "no records available" . > after some digging, I find when tez-ui invoke > ".../ws/v1/timeline/TEZ_DAG_ID". > TimelineWebService#getUser(HttpServletRequest req) returns callerUgi = null > In TimelineACLsManager#checkAccess() > {code:java} > ...... > if (callerUGI != null > && (adminAclsManager.isAdmin(callerUGI) || > callerUGI.getShortUserName().equals(owner) || > domainACL.isUserAllowed(callerUGI))) { > return true; > } > return false; > } > {code} > Finally, Tez ui get nothing because of couldn't pass this checkAccess(). > I also refer to the similar code in RMWebServices > {code} protected Boolean hasAccess(RMApp app, HttpServletRequest hsr) { > // Check for the authorization. > UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true); > ...... > if (callerUGI != null > && !(this.rm.getApplicationACLsManager().checkAccess(callerUGI, > ApplicationAccessType.VIEW_APP, app.getUser(), > app.getApplicationId()) > || this.rm.getQueueACLsManager().checkAccess(callerUGI, > QueueACL.ADMINISTER_QUEUE, app, hsr.getRemoteAddr(), > forwardedAddresses))) { > return false; > } > return true; > } > {code} > > when callerUgi= null, hasAcces() returns true. > So , I made a similar fix for TimelineWebServices. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org