Issue:
Open shift container expects unix username to be exist :
ERROR DataTransformerLauncher - failure to login: javax.security.auth.login.LoginException: java.lang.NullPointerException: invalid null input: name
at com.sun.security.auth.UnixPrincipal.<init>(UnixPrincipal.java:71)
at com.sun.security.auth.module.UnixLoginModule.login(UnixLoginModule.java:133)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:1926)
at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1837)
at org.apache.hadoop.security.UserGroupInformation.createLoginUser(UserGroupInformation.java:710)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:705)
at com.streamsets.datacollector.security.DefaultLoginUgiProvider.getLoginUgi(DefaultLoginUgiProvider.java:44)
at com.streamsets.datacollector.security.HadoopSecurityUtil.getLoginUser(HadoopSecurityUtil.java:35)
at com.streamsets.pipeline.spark.launcher.SparkSubmitAppLauncher.determineLoginUser(SparkSubmitAppLauncher.scala:476)
at com.streamsets.pipeline.spark.launcher.SparkSubmitAppLauncher.start(SparkSubmitAppLauncher.scala:97)
at com.streamsets.datatransformer.dag.launcher.DataTransformerLauncher.start(DataTransformerLauncher.java:282)
at com.streamsets.datacollector.execution.runner.common.AsyncRunner.lambda$start$3(AsyncRunner.java:151)
at com.streamsets.pipeline.lib.executor.SafeScheduledExecutorService$SafeCallable.lambda$call$0(SafeScheduledExecutorService.java:226)
at com.streamsets.datacollector.security.GroupsInScope.execute(GroupsInScope.java:33)
at com.streamsets.pipeline.lib.executor.SafeScheduledExecutorService$SafeCallable.call(SafeScheduledExecutorService.java:222)
at com.streamsets.pipeline.lib.executor.SafeScheduledExecutorService$SafeCallable.lambda$call$0(SafeScheduledExecutorService.java:226)
at com.streamsets.datacollector.security.GroupsInScope.execute(GroupsInScope.java:33)
at com.streamsets.pipeline.lib.executor.SafeScheduledExecutorService$SafeCallable.call(SafeScheduledExecutorService.java:222)
at java.util.concurrent.FutureTask.run(FutureTask.java:266) Versions affected:
Transformer Deployed in OCP (OpenShift Container Platform)
Solution:
By default, OpenShift containers run with an anonymous user id, and group id 0 (aka the "root" group). First, set up your images so that /etc/passwd is owned by group-id 0, and has group write access,
for example this Dockerfile snippet:
RUN chgrp root /etc/passwd && chmod ug+rw /etc/passwd
Then you can add the following logic at container startup, the following script can be used as an ENTRYPOINT:
#!/bin/bash
myuid=$(id -u)
mygid=$(id -g)
uidentry=$(getent passwd $myuid)
if [ -z "$uidentry" ] ; then
# assumes /etc/passwd has root-group (gid 0) ownership
echo "$myuid:x:$myuid:$mygid:anonymous uid:/tmp:/bin/false" >> /etc/passwd
fi
exec "$@"This entry point script will automatically provide a password file entry for the anonymous UID, so that the transformer launch will not fail.
