hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MAPREDUCE-2858) MRv2 WebApp Security
Date Thu, 13 Oct 2011 18:39:12 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13126793#comment-13126793
] 

Allen Wittenauer commented on MAPREDUCE-2858:
---------------------------------------------

bq. It authenticates the user and if the user is not the owner of AM, the filtering will happen.

Correct, but with two very big points:

a) The only allowed access is via the proxy (no HDFS, etc)
b) The filter drops all embedded content.  Bye-bye MR SVG graphs.

bq. Signing is pretty much useless in practice due to key management issues besides the hairy
implementation issues (need to sign am jar along with all its dependencies and any stuff that
gets added to distributed cache)

Actually, you'd be amazed at the enterprises that actually have effective signing infrastructures
in place. 

But more importantly, you missed a key thing here:  you can still allow untrusted code to
run.  You just mark it as such so that whoever can make the informed decision.  This is much
better than a black box that gives a false sense of security.
                
> MRv2 WebApp Security
> --------------------
>
>                 Key: MAPREDUCE-2858
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-2858
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: applicationmaster, mrv2, security
>    Affects Versions: 0.23.0
>            Reporter: Luke Lu
>            Assignee: Luke Lu
>            Priority: Blocker
>             Fix For: 0.23.0
>
>
> In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and NameNode
(NN)) run as "trusted"
> system users, the application masters (AM) run as users who submit the application. While
this offers great flexibility
> to run multiple version of mapreduce frameworks (including their UI) on the same Hadoop
cluster, it has significant
> implication for the security of webapps (Please do not discuss company specific vulnerabilities
here).
> Requirements:
> # Secure authentication for AM (for app/job level ACLs).
> # Webapp security should be optional via site configuration.
> # Support existing pluggable single sign on mechanisms.
> # Should not require per app/user configuration for deployment.
> # Should not require special site-wide DNS configuration for deployment.
> This the top jira for webapp security. A design doc/notes of threat-modeling and counter
measures will be posted on the wiki.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message