hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject svn commit: r1077332 - in /hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs: cluster_setup.xml mapred_tutorial.xml
Date Fri, 04 Mar 2011 04:04:19 GMT
Author: omalley
Date: Fri Mar  4 04:04:19 2011
New Revision: 1077332

URL: http://svn.apache.org/viewvc?rev=1077332&view=rev
commit 8880f282ffbf15933566febfb62d26f9dbe8e213
Author: Hemanth Yamijala <yhemanth@yahoo-inc.com>
Date:   Thu Mar 18 12:05:01 2010 +0530

    MAPREDUCE:1604 from https://issues.apache.org/jira/secure/attachment/12439114/patch-1604-ydist.txt
    +++ b/YAHOO-CHANGES.txt
    +    MAPREDUCE-1604. Update Forrest documentation for job authorization
    +    ACLs. (Amareshwari Sriramadasu via yhemanth)


Modified: hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml?rev=1077332&r1=1077331&r2=1077332&view=diff
--- hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml
+++ hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml
Fri Mar  4 04:04:19 2011
@@ -294,15 +294,26 @@
-          <td>Specifies whether ACLs are supported for controlling job
-              submission and administration</td>
+          <td>Boolean, specifying whether queue ACLs are supported for 
+              authorizing job submission and job administration in a 
+              queue</td>
-            If <em>true</em>, ACLs would be checked while submitting
+            If <em>true</em>, queue ACLs would be checked while submitting
             and administering jobs. ACLs can be specified using the
             configuration parameters of the form
             <em>mapred.queue.queue-name.acl-name</em>, defined below.
+        <tr>
+          <td>mapreduce.cluster.job-authorization-enabled</td>
+          <td>Boolean, specifying whether job ACLs are supported for 
+              authorizing view and modification of a job</td>
+          <td>
+            If <em>true</em>, job ACLs would be checked while viewing or
+            modifying a job. More details are available at 
+            <a href ="mapred_tutorial.html#Job+Authorization">Job Authorization</a>.

+          </td>
+        </tr>
       <p><br/><code> conf/mapred-queue-acls.xml</code></p>
@@ -599,7 +610,7 @@
             The LinuxTaskController requires that paths including and leading up
             to the directories specified in
-            <em>mapreduce.cluster.local.dir</em> and <em>hadoop.log.dir</em>
+            <em>mapred.local.dir</em> and <em>hadoop.log.dir</em>
             be set 755 permissions.

Modified: hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml?rev=1077332&r1=1077331&r2=1077332&view=diff
--- hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml
+++ hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml
Fri Mar  4 04:04:19 2011
@@ -1486,6 +1486,60 @@
         <p>Normally the user creates the application, describes various facets 
         of the job via <code>JobConf</code>, and then uses the 
         <code>JobClient</code> to submit the job and monitor its progress.</p>
+        <section>
+          <title>Job Authorization</title>
+          <p>Job level authorization is enabled on the cluster, if the configuration
+          <code>mapreduce.cluster.job-authorization-enabled</code> is set to
+          true. When enabled, access control checks are done by the JobTracker
+          and the TaskTracker before allowing users to view
+          job details or to modify a job using Map/Reduce APIs,
+          CLI or web user interfaces.</p>
+          <p>A job submitter can specify access control lists for viewing or
+          modifying a job via the configuration properties
+          <code>mapreduce.job.acl-view-job</code> and
+          <code>mapreduce.job.acl-modify-job</code> respectively. By default,

+          nobody is given access in these properties.</p> 
+          <p>However, irrespective of the ACLs configured, a job's owner,
+          the superuser and the members of an admin configured supergroup
+          (<code>mapred.permissions.supergroup</code>) always have access to
+          view and modify a job.</p>
+          <p> A job view ACL authorizes users against the configured 
+          <code>mapreduce.job.acl-view-job</code> before returning possibly 
+          sensitive information about a job, like: </p>
+          <ul>
+            <li> job level counters </li>
+            <li> task level counters </li>
+            <li> tasks's diagnostic information </li>
+            <li> task logs displayed on the TaskTracker web UI </li>
+            <li> job.xml showed by the JobTracker's web UI </li>
+          </ul>
+          <p>Other information about a job, like its status and its profile, 
+          is accessible to all users, without requiring authorization.</p>
+          <p> A job modification ACL authorizes users against the configured
+          <code>mapreduce.job.acl-modify-job</code> before allowing
+          modifications to jobs, like: </p>
+          <ul>
+            <li> killing a job </li>
+            <li> killing/failing a task of a job </li>
+            <li> setting the priority of a job </li>
+          </ul>
+          <p>These operations are also protected by the queue level ACL,
+          "acl-administer-jobs", configured via mapred-queue-acls.xml. The caller
+          will be authorized against both queue level ACLs and job level ACLs,
+          depending on what is enabled.</p>
+          <p>The format of a job level ACL is the same as the format for a
+          queue level ACL as defined in the
+          <a href ="cluster_setup.html#Configuring+the+Hadoop+Daemons">
+          Cluster Setup</a> documentation.
+          </p>
+        </section>
           <title>Job Control</title>

View raw message