>> What about the configuration webinterface.private.actions? It was originally added as part of
HADOOP-1484 'cause authentication/authorization were missing back then. Now that we have them in place, it doesn't look like we really need it anymore. I'm fine fixing this in another issue.
If we remove this config now, the default behaviour changes — in the sense that any user can do modify operations on any job(by default — i.e. if user doesn't enable authorization). This doesn't look good. We need to think of this more and decide.
>> The variable 'conf' should actually be removed, instead of just putting a warning comment about its usage. We should fix the usage of this conf object in this patch itself, which I find is only at one place in JSPUtil.
Hmm. This would need changes like JSPUtil.getJobInfo() taking conf as another parameter ---- in turn leads to code changes in all history related JSPs, which are not touched by this patch. So would it be better to handle this in
MAPREDUCE-1493 as that is using getJobInfo() and in turn this "conf" variable ?
>> Can we move the UGI.doAs() checks also from all the JSPs into JSPUtil.checkAccessAndGetJob()?...
>> Given above, we can even overload JSPUtil.checkAccessAndGetJob(), (add a new JobOperation enum?) and make it something like JSPUtil.checkAccessAndDoOperation(JobOperation). That will make things much much simpler, I think.
Hmm. This may make the method checkAccessAndDoOperation() complex as it needs to return JobInProgress object in one case and doesn't have to return anything in other cases(like killJob, setJobPriority, killTask, failTask). Also it needs to take different parameters based on the operation it is going to do. What do you say ?