Uploaded image for project: 'Hadoop Map/Reduce'
  1. Hadoop Map/Reduce
  2. MAPREDUCE-563 Security features for Map/Reduce
  3. MAPREDUCE-1307

Introduce the concept of Job Permissions

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 0.21.0
    • security
    • None
    • Incompatible change, Reviewed
    • Hide
      Added job-level authorization to MapReduce. JobTracker will now use the cluster configuration "mapreduce.cluster.job-authorization-enabled" to enable the checks to verify the authority of access of jobs where ever needed. Introduced two job-configuration properties to specify ACLs: "mapreduce.job.acl-view-job" and "mapreduce.job.acl-modify-job". For now, RPCs related to job-level counters, task-level counters and tasks' diagnostic information are protected by "mapreduce.job.acl-view-job" ACL. "mapreduce.job.acl-modify-job" protects killing of a job, killing a task of a job, failing a task of a job and setting the priority of a job. Irrespective of the above two ACLs, job-owner, superuser and members of supergroup configured on JobTracker via mapred.permissions.supergroup, can do all the view and modification operations.
      Show
      Added job-level authorization to MapReduce. JobTracker will now use the cluster configuration "mapreduce.cluster.job-authorization-enabled" to enable the checks to verify the authority of access of jobs where ever needed. Introduced two job-configuration properties to specify ACLs: "mapreduce.job.acl-view-job" and "mapreduce.job.acl-modify-job". For now, RPCs related to job-level counters, task-level counters and tasks' diagnostic information are protected by "mapreduce.job.acl-view-job" ACL. "mapreduce.job.acl-modify-job" protects killing of a job, killing a task of a job, failing a task of a job and setting the priority of a job. Irrespective of the above two ACLs, job-owner, superuser and members of supergroup configured on JobTracker via mapred.permissions.supergroup, can do all the view and modification operations.

    Description

      It would be good to define the notion of job permissions analogous to file permissions. Then the JobTracker can restrict who can "read" (e.g. look at the job page) or "modify" (e.g. kill) jobs.

      Attachments

        1. MAPREDUCE-1307-20100227-ydist.txt
          57 kB
          Vinod Kumar Vavilapalli
        2. MAPREDUCE-1307-20100226.1-ydist.txt
          57 kB
          Vinod Kumar Vavilapalli
        3. MAPREDUCE-1307-20100217.txt
          60 kB
          Vinod Kumar Vavilapalli
        4. MAPREDUCE-1307-20100215.txt
          39 kB
          Vinod Kumar Vavilapalli
        5. MAPREDUCE-1307-20100211.txt
          36 kB
          Vinod Kumar Vavilapalli
        6. MAPREDUCE-1307-20100210.txt
          35 kB
          Vinod Kumar Vavilapalli
        7. 1307-early-1.patch
          13 kB
          Devaraj Das

        Issue Links

          blocks

          Sub-task - The sub-task of the issue MAPREDUCE-1455 Authorization for servlets

          • Major - Major loss of function.
          • Closed
          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MAPREDUCE-1483 CompletedJobStore should be authorized using job-acls

          • Major - Major loss of function.
          • Resolved
          relates to

          Sub-task - The sub-task of the issue MAPREDUCE-1455 Authorization for servlets

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MAPREDUCE-1483 CompletedJobStore should be authorized using job-acls

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              vinodkv Vinod Kumar Vavilapalli
              ddas Devaraj Das
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: