Return-Path: X-Original-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-mapreduce-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 324389741 for ; Fri, 21 Oct 2011 23:38:56 +0000 (UTC) Received: (qmail 10632 invoked by uid 500); 21 Oct 2011 23:38:56 -0000 Delivered-To: apmail-hadoop-mapreduce-issues-archive@hadoop.apache.org Received: (qmail 10599 invoked by uid 500); 21 Oct 2011 23:38:56 -0000 Mailing-List: contact mapreduce-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: mapreduce-issues@hadoop.apache.org Delivered-To: mailing list mapreduce-issues@hadoop.apache.org Received: (qmail 10586 invoked by uid 99); 21 Oct 2011 23:38:56 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Oct 2011 23:38:56 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Oct 2011 23:38:53 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id ED70831477D for ; Fri, 21 Oct 2011 23:36:32 +0000 (UTC) Date: Fri, 21 Oct 2011 23:36:32 +0000 (UTC) From: "Alejandro Abdelnur (Commented) (JIRA)" To: mapreduce-issues@hadoop.apache.org Message-ID: <365527842.4004.1319240192973.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <24984446.50730.1313704707621.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (MAPREDUCE-2858) MRv2 WebApp Security MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/MAPREDUCE-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133192#comment-13133192 ] Alejandro Abdelnur commented on MAPREDUCE-2858: ----------------------------------------------- Robert, Are you suggesting that we should keep the proxy with a switch to disable rewriting so the proxy redirects (a redirect would work as opposed to actually proxying,no?) to the history server when the AM goes away? If so, it makes sense. > MRv2 WebApp Security > -------------------- > > Key: MAPREDUCE-2858 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-2858 > Project: Hadoop Map/Reduce > Issue Type: Sub-task > Components: applicationmaster, mrv2, security > Affects Versions: 0.23.0, 0.24.0 > Reporter: Luke Lu > Assignee: Robert Joseph Evans > Priority: Blocker > Fix For: 0.23.0 > > Attachments: MR-2858-branch-0.23.txt, MR-2858-branch-0.23.txt, MR-2858.txt, MR-2858.txt > > > In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and NameNode (NN)) run as "trusted" > system users, the application masters (AM) run as users who submit the application. While this offers great flexibility > to run multiple version of mapreduce frameworks (including their UI) on the same Hadoop cluster, it has significant > implication for the security of webapps (Please do not discuss company specific vulnerabilities here). > Requirements: > # Secure authentication for AM (for app/job level ACLs). > # Webapp security should be optional via site configuration. > # Support existing pluggable single sign on mechanisms. > # Should not require per app/user configuration for deployment. > # Should not require special site-wide DNS configuration for deployment. > This the top jira for webapp security. A design doc/notes of threat-modeling and counter measures will be posted on the wiki. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira