Return-Path: Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Received: (qmail 65129 invoked from network); 10 Feb 2010 19:50:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 10 Feb 2010 19:50:55 -0000 Received: (qmail 94806 invoked by uid 500); 10 Feb 2010 19:50:55 -0000 Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org Received: (qmail 94751 invoked by uid 500); 10 Feb 2010 19:50:55 -0000 Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: mapreduce-issues@hadoop.apache.org Delivered-To: mailing list mapreduce-issues@hadoop.apache.org Received: (qmail 94741 invoked by uid 99); 10 Feb 2010 19:50:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Feb 2010 19:50:55 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Feb 2010 19:50:52 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 964E1234C48D for ; Wed, 10 Feb 2010 11:50:31 -0800 (PST) Message-ID: <204624789.187961265831431614.JavaMail.jira@brutus.apache.org> Date: Wed, 10 Feb 2010 19:50:31 +0000 (UTC) From: "Ravi Gummadi (JIRA)" To: mapreduce-issues@hadoop.apache.org Subject: [jira] Commented: (MAPREDUCE-1455) Authorization for servlets In-Reply-To: <663344622.28361265262030144.JavaMail.jira@brutus.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/MAPREDUCE-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12832149#action_12832149 ] Ravi Gummadi commented on MAPREDUCE-1455: ----------------------------------------- (1) As history files don't have job ACLs stored along with them, accessing history related web pages will not be protected as part of this JIRA. That can be done as an improvement to this JIRA later. (2) This JIRA focuses on authorization of users against viewing/modifying jobs only. So no authorization for web pages that have info about queues, machines. (3) As tasktracker doesn't have the job ACLs, when any one tries to access task logs of a job, I propose we store the job ACLs in a file say job-acls.xml) when task log files are created by taskTracker. And tasktracker will read this job-acls.xml when somebody tries to access task logs using web UI and does the authorization. I guess job-acls.xml can contain only the 2 config properties mapreduce.job.user.name and mapreduce.job.acl-view-job. (4) Similar to the supergroup existing in jobtracker now, we would need supergroup(same config property) to be set on taskTracker also. This is to allow members of supergroup to access task logs. I will deprecate the earlier jobtracker config property and add one at cluster level. Thoughts ? > Authorization for servlets > -------------------------- > > Key: MAPREDUCE-1455 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1455 > Project: Hadoop Map/Reduce > Issue Type: Sub-task > Reporter: Devaraj Das > Assignee: Ravi Gummadi > Fix For: 0.22.0 > > > This jira is about building the authorization for servlets (on top of MAPREDUCE-1307). That is, the JobTracker/TaskTracker runs authorization checks on web requests based on the configured job permissions. For e.g., if the job permission is 600, then no one except the authenticated user can look at the job details via the browser. The authenticated user in the servlet can be obtained using the HttpServletRequest method. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.