hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raghu Angadi (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-1873) User permissions for Map/Reduce
Date Fri, 21 Sep 2007 23:05:50 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-1873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12529585
] 

Raghu Angadi commented on HADOOP-1873:
--------------------------------------

The current proposal is to just a ticket through {{submitJob()}} interface and propegate it
to tasks. It may not work if a ticket has a timout (kerberos?). This implementation might
have to when there is support for short lived timeout. In that case, HDFS could support a
special ticket that can impersonate other users.: 

- when Job tracker accepts a job it first validates the user. If the user is allowed to run
a job, it creates a new ticket (using the configured security module) and renews the tickets
over time (Just like DFSClient would review).
- for Namenode RPCs, it uses a wrapper/nested ticket that includes the user it wants to impersonate.
Namenode verifies the actual user and if that users is allowed to impersonate others, then
executes the RPC as the intended user.

I think for now, we can just pass the JobClient's ticket around.


> User permissions for Map/Reduce
> -------------------------------
>
>                 Key: HADOOP-1873
>                 URL: https://issues.apache.org/jira/browse/HADOOP-1873
>             Project: Hadoop
>          Issue Type: Improvement
>            Reporter: Raghu Angadi
>            Assignee: Raghu Angadi
>
> HADOOP-1298 and HADOOP-1701 add permissions and pluggable security for DFS files and
DFS accesses. Same users permission should work for Map/Reduce jobs as well. 
> User persmission should propegate from client to map/reduce tasks and all the file operations
should be subject to user permissions. This is transparent to the user (i.e. no changes to
user code should be required). 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message