hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "BELUGA BEHR (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12644) Access Control List Syntax
Date Tue, 15 Dec 2015 18:53:46 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

BELUGA BEHR updated HADOOP-12644:
---------------------------------
    Description: 
Hello,

I was recently learning about the configuration option "mapreduce.job.acl-view-job."  I was
looking at the syntax and the code.  I would like to suggest some improvements.

??the format to use is "user1,user2 group1,group". If set to '*', it allows all users/groups
to modify this job. If set to ' '(i.e. space), it allows none.??

In reality though, the code is written to split the line on the first space it finds.  So:

"user1,user2 group1, group2" will work.
(user1,user2),(group1, group2)

"user1, user2 group1,group2" does not work:
(user1,),(user2 group1, group2)

Also, there are many ways to specify "all":
"*"
" *"
"* "
"* *"
"user1,user2 *"
"* group1,group2"

I would like to see the code more strictly enforce what is written in the documentation. This
will guard against configuration mistakes.  If the input does not match the syntax, an error
should be produced and made available in the logs. The use of a semi-colon as a delimiter
is advisable so that any white-space in the list of users or groups can simply be ignore.

||mapreduce.job.acl-view-job||Meaning||
|"*"|All access|
|" "|No access|
|"user1;"|User-only access|
|";group1"|Group-only access|
|"user1;group1"|User & Group access|

  was:
Hello,

I was recently learning about the configuration option "mapreduce.job.acl-view-job."  I was
looking at the syntax and the code.  I would like to suggest some improvements.

??the format to use is "user1,user2 group1,group". If set to '*', it allows all users/groups
to modify this job. If set to ' '(i.e. space), it allows none.??

In reality though, the code is written to split the line on the first space it finds.  So:

user1,user2 group1, group2 will work.
(user1,user2),(group1, group2)

user1, user2 group1,group does not work:
(user1,),(user2 group1, group2)

Also, there are many ways to specify "all":
"*"
" *"
"* "
"* *"
"user1,user2 *"
"* group1,group2"

I would like to see the code more strictly enforce what is written in the documentation. This
will guard against configuration mistakes.  If the input does not match the syntax, an error
should be produced and made available in the logs. The use of a semi-colon as a delimiter
is advisable so that any white-space in the list of users or groups can simply be ignore.

||mapreduce.job.acl-view-job||Meaning||
|"*"|All access|
|" "|No access|
|"user1;"|User-only access|
|";group1"|Group-only access|
|"user1;group1"|User & Group access|


> Access Control List Syntax
> --------------------------
>
>                 Key: HADOOP-12644
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12644
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: BELUGA BEHR
>            Priority: Minor
>
> Hello,
> I was recently learning about the configuration option "mapreduce.job.acl-view-job."
 I was looking at the syntax and the code.  I would like to suggest some improvements.
> ??the format to use is "user1,user2 group1,group". If set to '*', it allows all users/groups
to modify this job. If set to ' '(i.e. space), it allows none.??
> In reality though, the code is written to split the line on the first space it finds.
 So:
> "user1,user2 group1, group2" will work.
> (user1,user2),(group1, group2)
> "user1, user2 group1,group2" does not work:
> (user1,),(user2 group1, group2)
> Also, there are many ways to specify "all":
> "*"
> " *"
> "* "
> "* *"
> "user1,user2 *"
> "* group1,group2"
> I would like to see the code more strictly enforce what is written in the documentation.
This will guard against configuration mistakes.  If the input does not match the syntax, an
error should be produced and made available in the logs. The use of a semi-colon as a delimiter
is advisable so that any white-space in the list of users or groups can simply be ignore.
> ||mapreduce.job.acl-view-job||Meaning||
> |"*"|All access|
> |" "|No access|
> |"user1;"|User-only access|
> |";group1"|Group-only access|
> |"user1;group1"|User & Group access|



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message