Return-Path: Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Received: (qmail 57241 invoked from network); 17 Sep 2010 08:27:59 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 17 Sep 2010 08:27:59 -0000 Received: (qmail 71473 invoked by uid 500); 17 Sep 2010 08:27:59 -0000 Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org Received: (qmail 71369 invoked by uid 500); 17 Sep 2010 08:27:56 -0000 Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: mapreduce-issues@hadoop.apache.org Delivered-To: mailing list mapreduce-issues@hadoop.apache.org Received: (qmail 71355 invoked by uid 99); 17 Sep 2010 08:27:54 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Sep 2010 08:27:54 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Sep 2010 08:27:53 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o8H8RXks010344 for ; Fri, 17 Sep 2010 08:27:33 GMT Message-ID: <16591794.247811284712053237.JavaMail.jira@thor> Date: Fri, 17 Sep 2010 04:27:33 -0400 (EDT) From: "Ravi Gummadi (JIRA)" To: mapreduce-issues@hadoop.apache.org Subject: [jira] Updated: (MAPREDUCE-1664) Job Acls affect Queue Acls In-Reply-To: <1291057703.628101270112369320.JavaMail.jira@brutus.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/MAPREDUCE-1664?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ravi Gummadi updated MAPREDUCE-1664: ------------------------------------ Hadoop Flags: [Incompatible change, Reviewed] (was: [Reviewed]) Release Note: * Removed aclsEnabled flag from queues configuration files. * Removed the configuration property mapreduce.cluster.job-authorization-enabled. * Added mapreduce.cluster.acls.enabled as the single configuration property in mapred-default.xml that enables the authorization checks for all job level and queue level operations. * To enable authorization of users to do job level and queue level operations, mapreduce.cluster.acls.enabled is to be set to true in JobTracker's configuration and in all TaskTrackers' configurations. * To get access to a job, it is enough for a user to be part of one of the access lists i.e. either job-acl or queue-admins-acl(unlike before, when, one has to be part of both the lists). * Queue administrators(configured via acl-administer-jobs) of a queue can do all view-job and modify-job operations on all jobs submitted to that queue. * ClusterOwner(who started the mapreduce cluster) and cluster administrators(configured via mapreduce.cluster.permissions.supergroup) can do all job level operations and queue level operations on all jobs on all queues in that cluster irrespective of job-acls and queue-acls configured. * JobOwner(who submitted job to a queue) can do all view-job and modify-job operations on his/her job irrespective of job-acls and queue-acls. * Since aclsEnabled flag is removed from queues configuration files, "refresh of queues configuration" will not change mapreduce.cluster.acls.enabled on the fly. mapreduce.cluster.acls.enabled can be modified only when restarting the mapreduce cluster. > Job Acls affect Queue Acls > -------------------------- > > Key: MAPREDUCE-1664 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1664 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security > Affects Versions: 0.22.0 > Reporter: Ravi Gummadi > Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1664.20S.3.4.patch, 1664.patch, 1664.qAdminsJobView.20S.v1.6.patch, 1664.v1.1.patch, 1664.v1.2.patch, 1664.v1.patch, M1664y20s-testfix.patch, mr-1664-20-bugfix.patch > > > MAPREDUCE-1307 introduced job ACLs for securing job level operations. So in current trunk, queue ACLs and job ACLs are checked(with AND for both acls) for allowing job level operations. So for doing operations like killJob, killTask and setJobPriority user should be part of both mapred.queue.{queuename}.acl-administer-jobs and in mapreduce.job.acl-modify-job. This needs to change so that users who are part of mapred.queue.{queuename}.acl-administer-jobs will be able to do killJob,killTask,setJobPriority and users part of mapreduce.job.acl-modify-job will be able to do killJob,killTask,setJobPriority. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.