hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hemanth Yamijala (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-3698) Implement access control for submitting jobs to queues in the JobTracker
Date Mon, 18 Aug 2008 08:27:44 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-3698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12623283#action_12623283
] 

Hemanth Yamijala commented on HADOOP-3698:
------------------------------------------

- We could have an implementation on the following lines:

{code}
abstract class QueueAccessVerifier {

  enum QueueOperation {
    SUBMIT_JOB,
    LIST_JOBS,
    ADMINISTER_JOBS
    // ..
  }

  private Configuration conf;

  public void setConfiguration(Configuration conf) {
    this.conf = conf;
  }

  public Configuration getConfiguration() {
    return conf;
  }

  // basic initialization, for e.g. read up a conf file which has the list
  // of configured groups and users, and so on.
  public abstract void initialize();

  // verify if the specified operation is allowed on the specified queue
  public abstract boolean verifyAccess(QueueOperation operation, 
                                        String queue);
}
{code}

- The class name of a concrete implementation of QueueAccessVerifier can be specified in hadoop's
configuration using a new variable, say {{hadoop.rm.accessverifier}}, and initialized by the
JobTracker.
- Following this, implementations of methods defined in JobSubmissionProtocol, such as {{submitJob}}
and {{killJob}}, can use the instance of QueueAccessVerifier to check if the operation is
allowed or not.
- In order to get the currently logged in user and his/her groups, we can probably re-use
the UserGroupInformation class that HDFS uses for permission checking. If we decide to follow
that route, JobClient could set the {{UGI_PROPERTY_NAME}} just like DFSClient does, by doing
a login.

Please let me know if this approach seems fine.

> Implement access control for submitting jobs to queues in the JobTracker
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-3698
>                 URL: https://issues.apache.org/jira/browse/HADOOP-3698
>             Project: Hadoop Core
>          Issue Type: New Feature
>          Components: mapred
>            Reporter: Hemanth Yamijala
>            Assignee: Hemanth Yamijala
>             Fix For: 0.19.0
>
>
> HADOOP-3445 implements multiple queues in the JobTracker as part of the new resource
manager for Hadoop (HADOOP-3421). There needs to be a mechanism to control who can submit
jobs to a specified queue. This JIRA is for tracking the requirements, approach and implementation
for the same.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message