hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MAPREDUCE-2858) MRv2 WebApp Security
Date Thu, 13 Oct 2011 16:41:12 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13126710#comment-13126710

Alejandro Abdelnur commented on MAPREDUCE-2858:

My be I'm not getting enough hours of sleep lately but I'm not able to get a full understanding
of how the proxy works. Would be possible to have a sequence diagram showing the steps and
data that flow for a request? Asking because the proxy seems to be talking with the RM, seems
to be rewriting data (URLs), etc, etc. That is not simple stuff.

On a complete different twist if the concern is about an AM seeing the 'company-wide' cookies
from a user because of the single sign on; wouldn't be simpler that the AM container provides
an API to register filters&servlets and filters out all cookies before giving control
to the AM filter/servlet? And, to avoid the AM code to open an arbitrary port to listen to
non-curated HTTP requests, the AM container would run with a security manager that prevents
opening new sockets. Recapping: 

* The AM container initializes an AM HTTP server.
* The AM HTTP server is preinitialized with any 'company' specific authentication filter.
* The AM runs in a SecurityManager that forbids AM code to open ports.
* The AM code can register servlets and filters to this AM HTTP server.
* The AM code starts the AM HTTP server server once all servlets  & filters are register.
* The AM HTTP server filters out all cookies, thus the AM code does not see them.

IMO this addresses the original issues without having to do introduce Application Proxies
with complex logic.


> MRv2 WebApp Security
> --------------------
>                 Key: MAPREDUCE-2858
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-2858
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: applicationmaster, mrv2, security
>    Affects Versions: 0.23.0
>            Reporter: Luke Lu
>            Assignee: Luke Lu
>            Priority: Blocker
>             Fix For: 0.23.0
> In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and NameNode
(NN)) run as "trusted"
> system users, the application masters (AM) run as users who submit the application. While
this offers great flexibility
> to run multiple version of mapreduce frameworks (including their UI) on the same Hadoop
cluster, it has significant
> implication for the security of webapps (Please do not discuss company specific vulnerabilities
> Requirements:
> # Secure authentication for AM (for app/job level ACLs).
> # Webapp security should be optional via site configuration.
> # Support existing pluggable single sign on mechanisms.
> # Should not require per app/user configuration for deployment.
> # Should not require special site-wide DNS configuration for deployment.
> This the top jira for webapp security. A design doc/notes of threat-modeling and counter
measures will be posted on the wiki.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message