[CDAP-11955] Sometimes wrong user is used to delete the namespace in explore. - CDAP Community Issue Tracker

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 4.2.1, 3.5.5, 4.1.1, 4.0.1
Fix Version/s: 4.3.0, 4.2.1, 4.1.2
Component/s: Security
Labels:
- TR
- authorization
- zen

Release Notes:
Fixed a bug that sometimes wrong user is used in explore, which results in the failure of deleting namespace.
Rank:
1|i0043r:

Description

The issue I observed:
Alice was logged in and had the privilege to delete the namespace but the operation failed with following stacktrace, indicating eve is making query, not sure why this happens and how to reproduce:

2017-06-14 22:58:54,386 WARN co.cask.cdap.internal.app.namespace.DefaultNamespaceAdmin: Error while deleting namespace namespace:test
co.cask.cdap.explore.service.ExploreException: Cannot remove a namespace. Reason: Response code: 500, message: 'Internal Server Error', body: 'Failed to get namespace meta for the
 namespace namespace:test'
        at co.cask.cdap.explore.client.ExploreHttpClient.deleteNamespace(ExploreHttpClient.java:482) ~[na:na]
        at co.cask.cdap.explore.client.AbstractExploreClient.deleteNamespace(AbstractExploreClient.java:66) ~[na:na]
        at co.cask.cdap.explore.client.AbstractExploreClient$20.getHandle(AbstractExploreClient.java:330) ~[na:na]
        at co.cask.cdap.explore.client.AbstractExploreClient$21.call(AbstractExploreClient.java:342) ~[na:na]
        at co.cask.cdap.explore.client.AbstractExploreClient$21.call(AbstractExploreClient.java:339) ~[na:na]
        at java.util.concurrent.FutureTask.run(FutureTask.java:262) ~[na:1.7.0_75]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) ~[na:1.7.0_75]
        at java.util.concurrent.FutureTask.run(FutureTask.java:262) ~[na:1.7.0_75]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178) ~[na:1.7.0_75]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292) ~[na:1.7.0_75]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) ~[na:1.7.0_75]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) ~[na:1.7.0_75]
        at java.lang.Thread.run(Thread.java:745) ~[na:1.7.0_75]
2017-06-14 22:58:54,380 WARN org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException as:cdap/authorization24354-1000.dev.continuuity.net@CONTINUUITY.NET (auth:SIMPLE) cause:co.cask.cdap.explore.service.ExploreException: Failed to get namespace meta for the namespace namespace:test
2017-06-14 22:58:54,381 ERROR co.cask.cdap.common.HttpExceptionHandler: Unexpected error: request=DELETE /v3/data/explore/namespaces/test user=eve:
co.cask.cdap.explore.service.ExploreException: Failed to get namespace meta for the namespace namespace:test
        at co.cask.cdap.explore.service.hive.BaseHiveExploreService.deleteNamespace(BaseHiveExploreService.java:813)
        at co.cask.cdap.explore.executor.ExploreMetadataHttpHandler$6$1.call(ExploreMetadataHttpHandler.java:167)
        at co.cask.cdap.explore.executor.ExploreMetadataHttpHandler$6$1.call(ExploreMetadataHttpHandler.java:164)
        at co.cask.cdap.security.impersonation.ImpersonationUtils$1.run(ImpersonationUtils.java:46)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
        at co.cask.cdap.security.impersonation.ImpersonationUtils.doAs(ImpersonationUtils.java:43)
        at co.cask.cdap.security.impersonation.DefaultImpersonator.doAs(DefaultImpersonator.java:70)
        at co.cask.cdap.security.impersonation.DefaultImpersonator.doAs(DefaultImpersonator.java:59)
        at co.cask.cdap.explore.executor.ExploreMetadataHttpHandler$6.execute(ExploreMetadataHttpHandler.java:164)
        at co.cask.cdap.explore.executor.ExploreMetadataHttpHandler$6.execute(ExploreMetadataHttpHandler.java:159)
        at co.cask.cdap.explore.executor.AbstractExploreMetadataHttpHandler$1.execute(AbstractExploreMetadataHttpHandler.java:53)
        at co.cask.cdap.explore.executor.AbstractExploreMetadataHttpHandler$1.execute(AbstractExploreMetadataHttpHandler.java:49)
        at co.cask.cdap.explore.executor.AbstractExploreMetadataHttpHandler.genericEndpointExecution(AbstractExploreMetadataHttpHandler.java:65)
        at co.cask.cdap.explore.executor.AbstractExploreMetadataHttpHandler.handleResponseEndpointExecution(AbstractExploreMetadataHttpHandler.java:49)
        at co.cask.cdap.explore.executor.ExploreMetadataHttpHandler.delete(ExploreMetadataHttpHandler.java:159)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)

Attachments

Issue Links

relates to

CDAP-12006 Namespace deletion should clean up the hive tables before dropping the hive database.

Open

CDAP-12021 long term fix for setting the requesting user for REST call

Open

Welcome to CDAP OSS Community

Sometimes wrong user is used to delete the namespace in explore.

Details

Description

Attachments

Issue Links

Activity

People

Dates