Return-Path: 
 <user-return-5516-apmail-hadoop-user-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-user-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-user-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id DF4A4EA46
	for <apmail-hadoop-user-archive@minotaur.apache.org>;
 Wed, 27 Feb 2013 00:58:02 +0000 (UTC)
Received: (qmail 14146 invoked by uid 500); 27 Feb 2013 00:57:58 -0000
Delivered-To: apmail-hadoop-user-archive@hadoop.apache.org
Received: (qmail 13855 invoked by uid 500); 27 Feb 2013 00:57:58 -0000
Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@hadoop.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@hadoop.apache.org>
List-Post: <mailto:user@hadoop.apache.org>
List-Id: <user.hadoop.apache.org>
Reply-To: user@hadoop.apache.org
Delivered-To: mailing list user@hadoop.apache.org
Received: (qmail 13827 invoked by uid 99); 27 Feb 2013 00:57:58 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Feb 2013 00:57:58 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [74.125.82.52] (HELO mail-wg0-f52.google.com) (74.125.82.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Feb 2013 00:57:53 +0000
Received: by mail-wg0-f52.google.com with SMTP id 12so7142wgh.19
        for <user@hadoop.apache.org>; Tue, 26 Feb 2013 16:57:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=x-received:mime-version:in-reply-to:references:from:date:message-id
         :subject:to:content-type:x-gm-message-state;
        bh=voMxxpo+laiqXC85aOtUolezkw96MYk+W07gtr/zd/Q=;
        b=oa+1Y/t+swifsZOVTCNIXvefLQX2WxuBf2MugDt9FzYIc4s2Axjs+FV19taXaGUzlB
         F9xL7Izy+mv0hAm3Uj7hK2A31xeHcWmi3QeDG9GEaVHjy9jAdDxMOzRCrLpZaS17Qe5Q
         bnoM9c9EgCUm07r0VIAqkBG5TErk4aVXshzpq0+2aKZy2qe0tqAfJohoJnnEILYq9D51
         /PFsF3oZN3IxLjcTcLlp/FCfz8hryIQRV/NTUn/wFjtRDyx5DBIzQ/Cyd5CvgAELon1k
         uYqmu7lXXDXYgxWjWdqNhMXay48akbrtb+N2zqehvtqMhX72F0fvIggA59kVQCea2FRt
         r1Yg==
X-Received: by 10.180.98.232 with SMTP id el8mr23024346wib.22.1361926651923;
 Tue, 26 Feb 2013 16:57:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.176.71 with HTTP; Tue, 26 Feb 2013 16:57:11 -0800 (PST)
In-Reply-To: 
 <CALB5Fy9cw38Rx9ZtO+z+UZo671AgW0obS=3Ki4kvsCUUgFF8UQ@mail.gmail.com>
References: 
 <CALB5Fy8L0HhLJKCNTb4mhLFnzUqV3Qc0A7ZXibg9hJcmoKzmaQ@mail.gmail.com>
 <C7128CA403432849A4483B030F4489543574BDF2@turn-mail02.turn.corp>
 <CALB5Fy-MRwbL2BQ4g5crxehhrRPL3H-Bp6tfw9NDZahjBWzr+g@mail.gmail.com>
 <CAPQV63VQrrboMyq34jn6y8YX1HnDc9NRaAyzvDk65CwnXVw6+g@mail.gmail.com>
 <CALB5Fy9cw38Rx9ZtO+z+UZo671AgW0obS=3Ki4kvsCUUgFF8UQ@mail.gmail.com>
From: Jean-Marc Spaggiari <jean-marc@spaggiari.org>
Date: Tue, 26 Feb 2013 19:57:11 -0500
Message-ID: 
 <CAPQV63Um=0OsUxHcXyYfOYEEXwnnx=Vxx7zuOQ0DkrUh-wpTnQ@mail.gmail.com>
Subject: Re: JobTracker security
To: user@hadoop.apache.org
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: 
 ALoCoQnOxd1bAUV7AyTLsoeBlK4UTBhxmsaZ8woKPy/2yTGl/1FIET0KmLDAK3/E4+QXomkyoDRY
X-Virus-Checked: Checked by ClamAV on apache.org

I mean the executable files. Or even the entire hadoop directory?
People might still be able to install a local copy of hadoop and
configure it to point to the same trackers, and then do the kill, but
at least that will complicate the things a bit?

If user1 and user2 are on different groups also, that might allow you
to block some user2 actions against user1 processes? Also, you should
take look to the "Security" chapter in "Hadoop: The Definitive Guide"
and to the hadoop-policy.xml file (I never looked at this file, so
maybe it's not at all related).

2013/2/26 Serge Blazhievsky <hadoop.ca@gmail.com>:
> hi Jean,
>
> Do you mean input files for hadoop ? or hadoop directory?
>
> Serge
>
>
> On Tue, Feb 26, 2013 at 4:38 PM, Jean-Marc Spaggiari
> <jean-marc@spaggiari.org> wrote:
>>
>> Maybe restrict access to the hadoop file(s) to the user1?
>>
>> 2013/2/26 Serge Blazhievsky <hadoop.ca@gmail.com>:
>> > I am trying to not to use kerberos...
>> >
>> > Is there other option?
>> >
>> > Thanks
>> > Serge
>> >
>> >
>> > On Tue, Feb 26, 2013 at 3:31 PM, Patai Sangbutsarakum
>> > <Patai.Sangbutsarakum@turn.com> wrote:
>> >>
>> >> Kerberos
>> >>
>> >> From: Serge Blazhievsky <hadoop.ca@gmail.com>
>> >> Reply-To: <user@hadoop.apache.org>
>> >> Date: Tue, 26 Feb 2013 15:29:08 -0800
>> >> To: <user@hadoop.apache.org>
>> >> Subject: JobTracker security
>> >>
>> >> Hi all,
>> >>
>> >> Is there a way to restrict job monitoring and management only to jobs
>> >> started by each individual user?
>> >>
>> >>
>> >> The basic scenario is:
>> >>
>> >> 1. Start a job under user1
>> >> 2. Login as user2
>> >> 3. hadoop job -list to retrieve job id
>> >> 4. hadoop job -kill job_id
>> >> 5. Job gets terminated....
>> >>
>> >> Is there something that needs to be enabled to prevent that from
>> >> happening?
>> >>
>> >> Thanks
>> >> Serge
>> >
>> >
>
>