Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-7387

When authorization is enabled, Log saver is unable to save logs for a namespace with impersonation

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.5.1
    • Fix Version/s: 3.5.2
    • Component/s: Log, Security
    • Labels:
    • Release Notes:
      Added support to LogSaver to impersonate
    • Rank:
      1|hzzmpb:

      Description

      When log saver is attempting to save logs, it may need to impersonate a user to write the logs to file. Because of this, it queries the namespace's configs.
      When authorization is enabled, the cdap system user does not have authorization on a namespace that has impersonation configured.
      Because of this, the cdap user can not query the namespace.

      Here is the stack trace that is repeatedly logged in log saver:

      2016-09-29 14:02:41,001 - ERROR [log-saver-log-processor-4:c.c.c.c.n.AbstractNamespaceQueryClient@69] - Caught exception during save, will try again with backoff.
      java.io.IOException: Cannot get namespace namespace:some_namespace. Reason: Principal 'Principal{name='cdap', type=USER}' does not have priv
      ileges to access entity 'namespace:some_namespace'
              at co.cask.cdap.common.namespace.AbstractNamespaceQueryClient.get(AbstractNamespaceQueryClient.java:69)
              at co.cask.cdap.common.security.DefaultImpersonator.getUGI(DefaultImpersonator.java:74)
              at co.cask.cdap.common.security.DefaultImpersonator.doAs(DefaultImpersonator.java:59)
              at co.cask.cdap.logging.write.AvroFileWriter.createLocation(AvroFileWriter.java:210)
              at co.cask.cdap.logging.write.AvroFileWriter.createAvroFile(AvroFileWriter.java:184)
              at co.cask.cdap.logging.write.AvroFileWriter.getAvroFile(AvroFileWriter.java:177)
              at co.cask.cdap.logging.write.AvroFileWriter.append(AvroFileWriter.java:110)
              at co.cask.cdap.logging.save.CheckpointingLogFileWriter.append(CheckpointingLogFileWriter.java:72)
              at co.cask.cdap.logging.save.LogWriter.run(LogWriter.java:128)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
              at java.util.concurrent.FutureTask.run(FutureTask.java:266)
              at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
              at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:745)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rsinha Rohit Sinha
                Reporter:
                ali.anwar Ali Anwar
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: