HADOOP-11615. Update ServiceLevelAuth.md for YARN. Contributed by Brahma Reddy Battula.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/dd9cd079 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/dd9cd079 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/dd9cd079 Branch: refs/heads/YARN-2928 Commit: dd9cd0797c265edfa7c3f18d2efce7c8f2801a6d Parents: 30e73eb Author: Akira Ajisaka <aajis...@apache.org> Authored: Sun Mar 1 22:16:06 2015 -0800 Committer: Akira Ajisaka <aajis...@apache.org> Committed: Sun Mar 1 22:16:06 2015 -0800 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../src/site/markdown/ServiceLevelAuth.md | 17 ++++++++--------- 2 files changed, 11 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/dd9cd079/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index b1a7a7d..4c0c375 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -1025,6 +1025,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11634. Description of webhdfs' principal/keytab should switch places each other. (Brahma Reddy Battula via ozawa) + HADOOP-11615. Update ServiceLevelAuth.md for YARN. + (Brahma Reddy Battula via aajisaka) + Release 2.6.1 - UNRELEASED INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/dd9cd079/hadoop-common-project/hadoop-common/src/site/markdown/ServiceLevelAuth.md ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/site/markdown/ServiceLevelAuth.md b/hadoop-common-project/hadoop-common/src/site/markdown/ServiceLevelAuth.md index ae41b47..e0017d4 100644 --- a/hadoop-common-project/hadoop-common/src/site/markdown/ServiceLevelAuth.md +++ b/hadoop-common-project/hadoop-common/src/site/markdown/ServiceLevelAuth.md @@ -68,10 +68,9 @@ This section lists the various Hadoop services and their configuration knobs: | security.datanode.protocol.acl | ACL for DatanodeProtocol, which is used by datanodes to communicate with the namenode. | | security.inter.datanode.protocol.acl | ACL for InterDatanodeProtocol, the inter-datanode protocol for updating generation timestamp. | | security.namenode.protocol.acl | ACL for NamenodeProtocol, the protocol used by the secondary namenode to communicate with the namenode. | -| security.inter.tracker.protocol.acl | ACL for InterTrackerProtocol, used by the tasktrackers to communicate with the jobtracker. | -| security.job.submission.protocol.acl | ACL for JobSubmissionProtocol, used by job clients to communciate with the jobtracker for job submission, querying job status etc. | -| security.task.umbilical.protocol.acl | ACL for TaskUmbilicalProtocol, used by the map and reduce tasks to communicate with the parent tasktracker. | -| security.refresh.policy.protocol.acl | ACL for RefreshAuthorizationPolicyProtocol, used by the dfsadmin and mradmin commands to refresh the security policy in-effect. | +| security.job.client.protocol.acl | ACL for JobSubmissionProtocol, used by job clients to communciate with the resourcemanager for job submission, querying job status etc. | +| security.job.task.protocol.acl | ACL for TaskUmbilicalProtocol, used by the map and reduce tasks to communicate with the parent nodemanager. | +| security.refresh.policy.protocol.acl | ACL for RefreshAuthorizationPolicyProtocol, used by the dfsadmin and rmadmin commands to refresh the security policy in-effect. | | security.ha.service.protocol.acl | ACL for HAService protocol used by HAAdmin to manage the active and stand-by states of namenode. | ### Access Control Lists @@ -98,15 +97,15 @@ If access control list is not defined for a service, the value of `security.serv ### Refreshing Service Level Authorization Configuration -The service-level authorization configuration for the NameNode and JobTracker can be changed without restarting either of the Hadoop master daemons. The cluster administrator can change `$HADOOP_CONF_DIR/hadoop-policy.xml` on the master nodes and instruct the NameNode and JobTracker to reload their respective configurations via the `-refreshServiceAcl` switch to `dfsadmin` and `mradmin` commands respectively. +The service-level authorization configuration for the NameNode and ResourceManager can be changed without restarting either of the Hadoop master daemons. The cluster administrator can change `$HADOOP_CONF_DIR/hadoop-policy.xml` on the master nodes and instruct the NameNode and ResourceManager to reload their respective configurations via the `-refreshServiceAcl` switch to `dfsadmin` and `rmadmin` commands respectively. Refresh the service-level authorization configuration for the NameNode: - $ bin/hadoop dfsadmin -refreshServiceAcl + $ bin/hdfs dfsadmin -refreshServiceAcl -Refresh the service-level authorization configuration for the JobTracker: +Refresh the service-level authorization configuration for the ResourceManager: - $ bin/hadoop mradmin -refreshServiceAcl + $ bin/yarn rmadmin -refreshServiceAcl Of course, one can use the `security.refresh.policy.protocol.acl` property in `$HADOOP_CONF_DIR/hadoop-policy.xml` to restrict access to the ability to refresh the service-level authorization configuration to certain users/groups. @@ -125,7 +124,7 @@ Of course, one can use the `security.refresh.policy.protocol.acl` property in `$ Allow only users `alice`, `bob` and users in the `mapreduce` group to submit jobs to the MapReduce cluster: <property> - <name>security.job.submission.protocol.acl</name> + <name>security.job.client.protocol.acl</name> <value>alice,bob mapreduce</value> </property>
