hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod K V (JIRA)" <j...@apache.org>
Subject [jira] Commented: (MAPREDUCE-1307) Introduce the concept of Job Permissions
Date Sun, 07 Feb 2010 03:36:28 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12830633#action_12830633
] 

Vinod K V commented on MAPREDUCE-1307:
--------------------------------------

The above proposal has some idiosyncrasies and can be improved:
 - The permissions model is not uniform across jobs and queues. Jobs use POSIX model while
queues use ACLs. Having the same model can simplify the code a bit at the same time, users/admins
can use the same model to describe permissions.
 - Job permissions don't strictly follow the POSIX model
    -- executable bit will be ignored completely and has no meaning
    -- a job can be owned by multiple groups whereas a file can only be owned by a single
group
    -- because permissions on queues(directories) are still expressed as ACLs, it is not possible
to extend the job-permissions to say, implement chmod on the job. The patch currently assumes
that the permissions cannot be changed after submission, but this assumption can change in
the future.
    -- It is difficult to extend the permissions in general too - every operation has to be
(forcibly) baked into either the readability or the writability category.

So, I propose we change the job-permissions also to use ACLs. The only downside is that we
lose the simple way of configuring job-permissions using octal numbers, but I think that's
OK because even now queues ARE being described in terms of ACLs.

Thoughts?

> Introduce the concept of Job Permissions
> ----------------------------------------
>
>                 Key: MAPREDUCE-1307
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1307
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Devaraj Das
>             Fix For: 0.22.0
>
>         Attachments: 1307-early-1.patch
>
>
> It would be good to define the notion of job permissions analogous to file permissions.
Then the JobTracker can restrict who can "read" (e.g. look at the job page) or "modify" (e.g.
kill) jobs.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message