hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Devaraj Das (JIRA)" <j...@apache.org>
Subject [jira] Updated: (MAPREDUCE-181) Secure job submission
Date Thu, 17 Dec 2009 23:36:18 GMT

     [ https://issues.apache.org/jira/browse/MAPREDUCE-181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Devaraj Das updated MAPREDUCE-181:
----------------------------------

    Attachment: 181-5.1.patch

Thanks for the review, Owen. This patch addresses the concerns. I also did one more change
- the JobInProgress constructor now checks whether the username in the submitted jobconf is
the same as the one obtained from the UGI, and if not, fails the job submission. Ideally,
we should not use conf.getUser anywhere but since it is used even in the TaskTracker code,
i left it as it is but instead fail the job submission if the user string from the two sources
don't match..

> Secure job submission 
> ----------------------
>
>                 Key: MAPREDUCE-181
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-181
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>            Reporter: Amar Kamat
>            Assignee: Devaraj Das
>             Fix For: 0.22.0
>
>         Attachments: 181-1.patch, 181-2.patch, 181-3.patch, 181-3.patch, 181-4.patch,
181-5.1.patch, hadoop-3578-branch-20-example-2.patch, hadoop-3578-branch-20-example.patch,
HADOOP-3578-v2.6.patch, HADOOP-3578-v2.7.patch, MAPRED-181-v3.32.patch, MAPRED-181-v3.8.patch
>
>
> Currently the jobclient accesses the {{mapred.system.dir}} to add job details. Hence
the {{mapred.system.dir}} has the permissions of {{rwx-wx-wx}}. This could be a security loophole
where the job files might get overwritten/tampered after the job submission. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message