hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ravi Gummadi (JIRA)" <j...@apache.org>
Subject [jira] Commented: (MAPREDUCE-1455) Authorization for servlets
Date Wed, 10 Feb 2010 19:50:31 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12832149#action_12832149

Ravi Gummadi commented on MAPREDUCE-1455:

(1) As history files don't have job ACLs stored along with them, accessing history related
web pages will not be protected as part of this JIRA. That can be done as an improvement to
this JIRA later.

(2) This JIRA focuses on authorization of users against viewing/modifying jobs only. So no
authorization for web pages that have info about queues, machines.

(3) As tasktracker doesn't have the job ACLs, when any one tries to access task logs of a
job, I propose we store the job ACLs in a file say job-acls.xml) when task log files are created
by taskTracker. And tasktracker will read this job-acls.xml when somebody tries to access
task logs using web UI and does the authorization. I guess job-acls.xml can contain only the
2 config properties mapreduce.job.user.name and mapreduce.job.acl-view-job.

(4) Similar to the supergroup existing in jobtracker now, we would need supergroup(same config
property) to be set on taskTracker also. This is to allow members of supergroup to access
task logs. I will deprecate the earlier jobtracker config property and add one at cluster

Thoughts ?

> Authorization for servlets
> --------------------------
>                 Key: MAPREDUCE-1455
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1455
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>            Reporter: Devaraj Das
>            Assignee: Ravi Gummadi
>             Fix For: 0.22.0
> This jira is about building the authorization for servlets (on top of MAPREDUCE-1307).
That is, the JobTracker/TaskTracker runs authorization checks on web requests based on the
configured job permissions. For e.g., if the job permission is 600, then no one except the
authenticated user can look at the job details via the browser. The authenticated user in
the servlet can be obtained using the HttpServletRequest method.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message