Return-Path: 
 <user-return-5517-apmail-hadoop-mapreduce-user-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-mapreduce-user-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-mapreduce-user-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 66594EC6F
	for <apmail-hadoop-mapreduce-user-archive@minotaur.apache.org>;
 Wed, 27 Feb 2013 01:22:51 +0000 (UTC)
Received: (qmail 98103 invoked by uid 500); 27 Feb 2013 01:22:46 -0000
Delivered-To: apmail-hadoop-mapreduce-user-archive@hadoop.apache.org
Received: (qmail 97991 invoked by uid 500); 27 Feb 2013 01:22:46 -0000
Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@hadoop.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@hadoop.apache.org>
List-Post: <mailto:user@hadoop.apache.org>
List-Id: <user.hadoop.apache.org>
Reply-To: user@hadoop.apache.org
Delivered-To: mailing list user@hadoop.apache.org
Received: (qmail 97983 invoked by uid 99); 27 Feb 2013 01:22:46 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Feb 2013 01:22:46 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of hadoop.ca@gmail.com
 designates 209.85.128.53 as permitted sender)
Received: from [209.85.128.53] (HELO mail-qe0-f53.google.com) (209.85.128.53)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Feb 2013 01:22:41 +0000
Received: by mail-qe0-f53.google.com with SMTP id cz11so24273qeb.12
        for <user@hadoop.apache.org>; Tue, 26 Feb 2013 17:22:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:content-type;
        bh=w5WK4iEKd3TWRvac4XzIZrgRoEaNXomxCgqWy3Cl9lk=;
        b=GzwJvd8tSk9syqj6Mjt4NSwr37kVHwnTlkqMuz8QXUSLf7CcqO+ysCSnCInsgXtEtJ
         oFskgNtK1KrhDElxIdEWuWnUKR7J+V+nHqJp/0jhbdvV+sOi5btnnpJY3z1+b7Um33eq
         foe+l+llJqjO4I2kOzhbLfNoqVziHF129DoaECSpDuy0mrxigsiDiMUi9/1AgW/2KifD
         looTTvthHcB7m6tFZMdYZmavZycRcr/qja+3rY8HQKdTY+CVDyl8UK6cgJ1mJq+V1s+t
         hVmxgozewaWKaZrq3x1ExNo5PXuFxDFn0cqmpJ1x0TGCYWpSsYX95+2zGsSmSLH0Tm90
         2qPg==
MIME-Version: 1.0
X-Received: by 10.224.186.82 with SMTP id cr18mr5290431qab.64.1361928141302;
 Tue, 26 Feb 2013 17:22:21 -0800 (PST)
Received: by 10.49.49.234 with HTTP; Tue, 26 Feb 2013 17:22:21 -0800 (PST)
In-Reply-To: 
 <CAPQV63Um=0OsUxHcXyYfOYEEXwnnx=Vxx7zuOQ0DkrUh-wpTnQ@mail.gmail.com>
References: 
 <CALB5Fy8L0HhLJKCNTb4mhLFnzUqV3Qc0A7ZXibg9hJcmoKzmaQ@mail.gmail.com>
	<C7128CA403432849A4483B030F4489543574BDF2@turn-mail02.turn.corp>
	<CALB5Fy-MRwbL2BQ4g5crxehhrRPL3H-Bp6tfw9NDZahjBWzr+g@mail.gmail.com>
	<CAPQV63VQrrboMyq34jn6y8YX1HnDc9NRaAyzvDk65CwnXVw6+g@mail.gmail.com>
	<CALB5Fy9cw38Rx9ZtO+z+UZo671AgW0obS=3Ki4kvsCUUgFF8UQ@mail.gmail.com>
	<CAPQV63Um=0OsUxHcXyYfOYEEXwnnx=Vxx7zuOQ0DkrUh-wpTnQ@mail.gmail.com>
Date: Tue, 26 Feb 2013 17:22:21 -0800
Message-ID: 
 <CALB5Fy90J82vgJeLCUS-J-peMzDk0oPUgaRWcWqnUV+4p3H8EQ@mail.gmail.com>
Subject: Re: JobTracker security
From: Serge Blazhievsky <hadoop.ca@gmail.com>
To: user@hadoop.apache.org
Content-Type: multipart/alternative; boundary=20cf303b3e8312934904d6aa9b4f
X-Virus-Checked: Checked by ClamAV on apache.org

--20cf303b3e8312934904d6aa9b4f
Content-Type: text/plain; charset=ISO-8859-1

All right!

Thanks for advice!


Serge

On Tue, Feb 26, 2013 at 4:57 PM, Jean-Marc Spaggiari <
jean-marc@spaggiari.org> wrote:

> I mean the executable files. Or even the entire hadoop directory?
> People might still be able to install a local copy of hadoop and
> configure it to point to the same trackers, and then do the kill, but
> at least that will complicate the things a bit?
>
> If user1 and user2 are on different groups also, that might allow you
> to block some user2 actions against user1 processes? Also, you should
> take look to the "Security" chapter in "Hadoop: The Definitive Guide"
> and to the hadoop-policy.xml file (I never looked at this file, so
> maybe it's not at all related).
>
> 2013/2/26 Serge Blazhievsky <hadoop.ca@gmail.com>:
> > hi Jean,
> >
> > Do you mean input files for hadoop ? or hadoop directory?
> >
> > Serge
> >
> >
> > On Tue, Feb 26, 2013 at 4:38 PM, Jean-Marc Spaggiari
> > <jean-marc@spaggiari.org> wrote:
> >>
> >> Maybe restrict access to the hadoop file(s) to the user1?
> >>
> >> 2013/2/26 Serge Blazhievsky <hadoop.ca@gmail.com>:
> >> > I am trying to not to use kerberos...
> >> >
> >> > Is there other option?
> >> >
> >> > Thanks
> >> > Serge
> >> >
> >> >
> >> > On Tue, Feb 26, 2013 at 3:31 PM, Patai Sangbutsarakum
> >> > <Patai.Sangbutsarakum@turn.com> wrote:
> >> >>
> >> >> Kerberos
> >> >>
> >> >> From: Serge Blazhievsky <hadoop.ca@gmail.com>
> >> >> Reply-To: <user@hadoop.apache.org>
> >> >> Date: Tue, 26 Feb 2013 15:29:08 -0800
> >> >> To: <user@hadoop.apache.org>
> >> >> Subject: JobTracker security
> >> >>
> >> >> Hi all,
> >> >>
> >> >> Is there a way to restrict job monitoring and management only to jobs
> >> >> started by each individual user?
> >> >>
> >> >>
> >> >> The basic scenario is:
> >> >>
> >> >> 1. Start a job under user1
> >> >> 2. Login as user2
> >> >> 3. hadoop job -list to retrieve job id
> >> >> 4. hadoop job -kill job_id
> >> >> 5. Job gets terminated....
> >> >>
> >> >> Is there something that needs to be enabled to prevent that from
> >> >> happening?
> >> >>
> >> >> Thanks
> >> >> Serge
> >> >
> >> >
> >
> >
>

--20cf303b3e8312934904d6aa9b4f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

All right!<br><br>Thanks for advice!<br><br><br>Serge<br><br><div class=3D"=
gmail_quote">On Tue, Feb 26, 2013 at 4:57 PM, Jean-Marc Spaggiari <span dir=
=3D"ltr">&lt;<a href=3D"mailto:jean-marc@spaggiari.org" target=3D"_blank">j=
ean-marc@spaggiari.org</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">I mean the executable files. Or even the ent=
ire hadoop directory?<br>
People might still be able to install a local copy of hadoop and<br>
configure it to point to the same trackers, and then do the kill, but<br>
at least that will complicate the things a bit?<br>
<br>
If user1 and user2 are on different groups also, that might allow you<br>
to block some user2 actions against user1 processes? Also, you should<br>
take look to the &quot;Security&quot; chapter in &quot;Hadoop: The Definiti=
ve Guide&quot;<br>
and to the hadoop-policy.xml file (I never looked at this file, so<br>
maybe it&#39;s not at all related).<br>
<br>
2013/2/26 Serge Blazhievsky &lt;<a href=3D"mailto:hadoop.ca@gmail.com">hado=
op.ca@gmail.com</a>&gt;:<br>
<div class=3D"HOEnZb"><div class=3D"h5">&gt; hi Jean,<br>
&gt;<br>
&gt; Do you mean input files for hadoop ? or hadoop directory?<br>
&gt;<br>
&gt; Serge<br>
&gt;<br>
&gt;<br>
&gt; On Tue, Feb 26, 2013 at 4:38 PM, Jean-Marc Spaggiari<br>
&gt; &lt;<a href=3D"mailto:jean-marc@spaggiari.org">jean-marc@spaggiari.org=
</a>&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; Maybe restrict access to the hadoop file(s) to the user1?<br>
&gt;&gt;<br>
&gt;&gt; 2013/2/26 Serge Blazhievsky &lt;<a href=3D"mailto:hadoop.ca@gmail.=
com">hadoop.ca@gmail.com</a>&gt;:<br>
&gt;&gt; &gt; I am trying to not to use kerberos...<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Is there other option?<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; Thanks<br>
&gt;&gt; &gt; Serge<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; On Tue, Feb 26, 2013 at 3:31 PM, Patai Sangbutsarakum<br>
&gt;&gt; &gt; &lt;<a href=3D"mailto:Patai.Sangbutsarakum@turn.com">Patai.Sa=
ngbutsarakum@turn.com</a>&gt; wrote:<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt; Kerberos<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt; From: Serge Blazhievsky &lt;<a href=3D"mailto:hadoop.ca@g=
mail.com">hadoop.ca@gmail.com</a>&gt;<br>
&gt;&gt; &gt;&gt; Reply-To: &lt;<a href=3D"mailto:user@hadoop.apache.org">u=
ser@hadoop.apache.org</a>&gt;<br>
&gt;&gt; &gt;&gt; Date: Tue, 26 Feb 2013 15:29:08 -0800<br>
&gt;&gt; &gt;&gt; To: &lt;<a href=3D"mailto:user@hadoop.apache.org">user@ha=
doop.apache.org</a>&gt;<br>
&gt;&gt; &gt;&gt; Subject: JobTracker security<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt; Hi all,<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt; Is there a way to restrict job monitoring and management =
only to jobs<br>
&gt;&gt; &gt;&gt; started by each individual user?<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt; The basic scenario is:<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt; 1. Start a job under user1<br>
&gt;&gt; &gt;&gt; 2. Login as user2<br>
&gt;&gt; &gt;&gt; 3. hadoop job -list to retrieve job id<br>
&gt;&gt; &gt;&gt; 4. hadoop job -kill job_id<br>
&gt;&gt; &gt;&gt; 5. Job gets terminated....<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt; Is there something that needs to be enabled to prevent th=
at from<br>
&gt;&gt; &gt;&gt; happening?<br>
&gt;&gt; &gt;&gt;<br>
&gt;&gt; &gt;&gt; Thanks<br>
&gt;&gt; &gt;&gt; Serge<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt;<br>
&gt;<br>
&gt;<br>
</div></div></blockquote></div><br>

--20cf303b3e8312934904d6aa9b4f--