hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Devaraj Das (JIRA)" <j...@apache.org>
Subject [jira] Commented: (MAPREDUCE-1457) For secure job execution, couple of more UserGroupInformation.doAs needs to be added
Date Sun, 07 Feb 2010 06:48:28 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12830670#action_12830670

Devaraj Das commented on MAPREDUCE-1457:

Ok the individual changes:
1) In the JobTracker, the getStagingArea RPC needs to construct a path for the user to write
job files to. The getStagingArea does a getFileSystem and internally the getFileSystem sets
up a connection to the namenode. For this connection, the JobTracker's credential should be
used. That's why the mrOwner.doAs in that method is required.
2) In Child.java, the task authenticates to the TaskTracker using the jobtoken. The username
in the jobtoken is jobId. The doAs block done using taskOwner is required so that the username
mentioned in the token and the one doing the operation matches.
3) In Child.java, the task execution and the task cleanup are within doAs blocks and those
doAs blocks are run as the user submitting the job. In the former part, the task communicates
with the namenode, and in the latter, it could potentially communicate with the namenode (abortTask
creates a connection to the namenode, etc). These are within doAs blocks so that the username
mentioned in the delegation token (the job submitting user) matches with the user performing
the operation.

> For secure job execution, couple of more UserGroupInformation.doAs needs to be added
> ------------------------------------------------------------------------------------
>                 Key: MAPREDUCE-1457
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1457
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>    Affects Versions: 0.22.0
>            Reporter: Devaraj Das
>            Assignee: Jakob Homan
>             Fix For: 0.22.0
>         Attachments: MAPREDUCE-1457-BPY20.patch, MAPREDUCE-1457-BPY20.patch, MAPREDUCE-1457.patch,
MAPREDUCE-1457.patch, MAPREDUCE-1457.patch
> During our testing in a kerberos environment, we had to add UserGroupInformation.doAs
blocks in certain places.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message