Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.21.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      Hide
      Added job-level authorization to MapReduce. JobTracker will now use the cluster configuration "mapreduce.cluster.job-authorization-enabled" to enable the checks to verify the authority of access of jobs where ever needed. Introduced two job-configuration properties to specify ACLs: "mapreduce.job.acl-view-job" and "mapreduce.job.acl-modify-job". For now, RPCs related to job-level counters, task-level counters and tasks' diagnostic information are protected by "mapreduce.job.acl-view-job" ACL. "mapreduce.job.acl-modify-job" protects killing of a job, killing a task of a job, failing a task of a job and setting the priority of a job. Irrespective of the above two ACLs, job-owner, superuser and members of supergroup configured on JobTracker via mapred.permissions.supergroup, can do all the view and modification operations.
      Show
      Added job-level authorization to MapReduce. JobTracker will now use the cluster configuration "mapreduce.cluster.job-authorization-enabled" to enable the checks to verify the authority of access of jobs where ever needed. Introduced two job-configuration properties to specify ACLs: "mapreduce.job.acl-view-job" and "mapreduce.job.acl-modify-job". For now, RPCs related to job-level counters, task-level counters and tasks' diagnostic information are protected by "mapreduce.job.acl-view-job" ACL. "mapreduce.job.acl-modify-job" protects killing of a job, killing a task of a job, failing a task of a job and setting the priority of a job. Irrespective of the above two ACLs, job-owner, superuser and members of supergroup configured on JobTracker via mapred.permissions.supergroup, can do all the view and modification operations.

      Description

      It would be good to define the notion of job permissions analogous to file permissions. Then the JobTracker can restrict who can "read" (e.g. look at the job page) or "modify" (e.g. kill) jobs.

        Attachments

        1. MAPREDUCE-1307-20100227-ydist.txt
          57 kB
          Vinod Kumar Vavilapalli
        2. MAPREDUCE-1307-20100226.1-ydist.txt
          57 kB
          Vinod Kumar Vavilapalli
        3. MAPREDUCE-1307-20100217.txt
          60 kB
          Vinod Kumar Vavilapalli
        4. MAPREDUCE-1307-20100215.txt
          39 kB
          Vinod Kumar Vavilapalli
        5. MAPREDUCE-1307-20100211.txt
          36 kB
          Vinod Kumar Vavilapalli
        6. MAPREDUCE-1307-20100210.txt
          35 kB
          Vinod Kumar Vavilapalli
        7. 1307-early-1.patch
          13 kB
          Devaraj Das

          Issue Links

            Activity

              People

              • Assignee:
                vinodkv Vinod Kumar Vavilapalli
                Reporter:
                devaraj Devaraj Das
              • Votes:
                0 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: