Return-Path: X-Original-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5AE958593 for ; Thu, 18 Aug 2011 21:58:52 +0000 (UTC) Received: (qmail 78063 invoked by uid 500); 18 Aug 2011 21:58:50 -0000 Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org Received: (qmail 77314 invoked by uid 500); 18 Aug 2011 21:58:49 -0000 Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: mapreduce-issues@hadoop.apache.org Delivered-To: mailing list mapreduce-issues@hadoop.apache.org Received: (qmail 77120 invoked by uid 99); 18 Aug 2011 21:58:48 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Aug 2011 21:58:48 +0000 X-ASF-Spam-Status: No, hits=-2001.1 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Aug 2011 21:58:47 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 98827C35EC for ; Thu, 18 Aug 2011 21:58:27 +0000 (UTC) Date: Thu, 18 Aug 2011 21:58:27 +0000 (UTC) From: "Luke Lu (JIRA)" To: mapreduce-issues@hadoop.apache.org Message-ID: <24984446.50730.1313704707621.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Created] (MAPREDUCE-2858) MRv2 WebApp Security MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 MRv2 WebApp Security -------------------- Key: MAPREDUCE-2858 URL: https://issues.apache.org/jira/browse/MAPREDUCE-2858 Project: Hadoop Map/Reduce Issue Type: Improvement Components: mrv2 Affects Versions: 0.23.0 Reporter: Luke Lu Assignee: Luke Lu Fix For: 0.23.0 In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and NameNode (NN)) run as "trusted" system users, the application masters (AM) run as users who submit the application. While this offers great flexibility to run multiple version of mapreduce frameworks (including their UI) on the same Hadoop cluster, it has significant implication for the security of webapps (Please do not discuss company specific vulnerabilities here). Requirements: 0. Secure authentication for AM (for app/job level ACLs). 1. Webapp security should be optional via site configuration. 2. Support existing pluggable single sign on mechanisms. 3. Should not require per app/user configuration for deployment. 4. Should not require special site-wide DNS configuration for deployment. This the top jira for webapp security. A design doc/notes of threat-modeling and counter measures will be posted on the wiki. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira