1

I am using Cloudera's CDH distribution of Hadoop and have recently upgraded from CDH3 to CDH4.

In CDH3 I used to be able to add user names into hadoop-policy.xml for:

security.client.protocol.acl

security.job.submission.protocol.acl

And then run:

hadoop dfsadmin -refreshServiceAcl

hadoop mradmin -refreshServiceAcl

And, voila, the user could access HDFS and run MR jobs.

Now adding first user since upgrading to CDH4 and it looks like something has changed.

Still adding user to same in hadoop-policy.xml as above. For HDFS access I run:

hdfs dfsadmin -refreshServiceAcl

However, I cannot figure out what is appropriate to give user access to "security.job.submission.protocol.acl". When I run:

hadoop mradmin -refreshServiceAcl

I get:

DEPRECATED: Use of this script to execute mapred command is deprecated. Instead use the mapred command for it. refreshServiceAcl: java.io.IOException: Unknown protocol: org.apache.hadoop.security.authorize.RefreshAuthorizationPolicyProtocol

And of course user gets:

org.apache.hadoop.security.authorize.AuthorizationException: User username (auth:SIMPLE) is not authorized for protocol interface org.apache.hadoop.mapred.JobSubmissionProtocol, expected client Kerberos principal is null

I have not installed YARN/MRv2 and "/usr/lib/hadoop-0.20-mapreduce/bin/mapred" is just a soft link to "/usr/lib/hadoop-0.20-mapreduce/bin/hadoop".

Any idea how I can update the JobSubmissionProtocol to accept the new user?

senile_genius
  • 527
  • 1
  • 7
  • 12
  • I can update the Service Level Authorization for security.job.submission.protocol.acl by restarting the JobTracker. However, I would like to be able to do this without a service restart. Is there any way to refreshServiceAcl for security.job.submission.protocol.acl? – senile_genius Aug 24 '12 at 14:30

2 Answers2

2

hadoop-policy.xml file in hadoop_home/conf directory contains all security-related settings. I believe you need to add user name in property settings. See below:

<property>
<name>security.job.submission.protocol.acl</name>
<value>*</value>
<description>
ACL for jobsubmissionProtocol, used by job clients to communicate with the job tracker 
for job submission, kill etc. The ACL is a comma separated list of user and group name. 
The user and grouplist is separated by a blank. For e.g., "majeed, john, developers,testers". 
A special value of "*" means all users are allowed. </description>
</property>
Palec
  • 12,743
  • 8
  • 69
  • 138
majeed
  • 31
  • 1
  • 6
1

I think ...

MapReducePolicyProvider.java use
import org.apache.hadoop.security.authorize.RefreshAuthorizationPolicyProtocol;

MRAdmin.java use
import org.apache.hadoop.mr1security.authorize.RefreshAuthorizationPolicyProtocol;

this mismatching causes of error.

But I don't know why using different class for each file.

user3351414
  • 11
  • 1