[MAPREDUCE-2858] MRv2 WebApp Security - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 0.23.0
Fix Version/s: 0.23.0
Component/s: applicationmaster, mrv2, security
Labels:
None

Target Version/s:

0.23.0
Release Note:

Hide
A new server has been added to yarn. It is a web proxy that sits in front of the AM web UI. The server is controlled by the yarn.web-proxy.address config. If that config is set, and it points to an address that is different then the RM web interface then a separate proxy server needs to be launched.

This can be done by running

yarn-daemon.sh start proxyserver

If a separate proxy server is needed other configs also may need to be set, if security is enabled.
yarn.web-proxy.principal
yarn.web-proxy.keytab

The proxy server is stateless and should be able to support a VIP or other load balancing sitting in front of multiple instances of this server.

Show
A new server has been added to yarn. It is a web proxy that sits in front of the AM web UI. The server is controlled by the yarn.web-proxy.address config. If that config is set, and it points to an address that is different then the RM web interface then a separate proxy server needs to be launched. This can be done by running yarn-daemon.sh start proxyserver If a separate proxy server is needed other configs also may need to be set, if security is enabled. yarn.web-proxy.principal yarn.web-proxy.keytab The proxy server is stateless and should be able to support a VIP or other load balancing sitting in front of multiple instances of this server.
Tags:
webapp, mrv2, security

Description

In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and NameNode (NN)) run as "trusted"
system users, the application masters (AM) run as users who submit the application. While this offers great flexibility
to run multiple version of mapreduce frameworks (including their UI) on the same Hadoop cluster, it has significant
implication for the security of webapps (Please do not discuss company specific vulnerabilities here).

Requirements:

Secure authentication for AM (for app/job level ACLs).
Webapp security should be optional via site configuration.
Support existing pluggable single sign on mechanisms.
Should not require per app/user configuration for deployment.
Should not require special site-wide DNS configuration for deployment.

This the top jira for webapp security. A design doc/notes of threat-modeling and counter measures will be posted on the wiki.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

MAPREDUCE-2858.patch
26/Oct/11 05:40
92 kB
Arun Murthy
MAPREDUCE-2858.patch
26/Oct/11 05:27
91 kB
Arun Murthy
MR-2858.txt
25/Oct/11 16:19
91 kB
Robert Joseph Evans
MR-2858-branch-0.23.txt
25/Oct/11 16:19
92 kB
Robert Joseph Evans
MR-2858.txt
24/Oct/11 17:02
90 kB
Robert Joseph Evans
MR-2858-branch-0.23.txt
24/Oct/11 17:02
91 kB
Robert Joseph Evans
MR-2858.txt
20/Oct/11 16:59
88 kB
Robert Joseph Evans
MR-2858-branch-0.23.txt
20/Oct/11 16:59
89 kB
Robert Joseph Evans
MR-2858.txt
20/Oct/11 15:37
89 kB
Robert Joseph Evans
MR-2858-branch-0.23.txt
20/Oct/11 15:37
90 kB
Robert Joseph Evans

Issue Links

is related to

MAPREDUCE-3174 app master UI goes away when app finishes - not very user friendly

Open

relates to

MAPREDUCE-3231 Improve Application Master And Job History UI Security

Open

Activity

People

Assignee:: Robert Joseph Evans

Reporter:: Luke Lu

Votes:: 0 Vote for this issue

Watchers:: 16 Start watching this issue

Dates

Created:: 18/Aug/11 21:57

Updated:: 15/Nov/11 00:49

Resolved:: 26/Oct/11 06:34