K0K0V0K commented on code in PR #8100:
URL: https://github.com/apache/hadoop/pull/8100#discussion_r2975230949
##########
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRConfig.java:
##########
@@ -133,5 +133,82 @@ public interface MRConfig {
boolean DEFAULT_MASTER_WEBAPP_UI_ACTIONS_ENABLED = true;
String MULTIPLE_OUTPUTS_CLOSE_THREAD_COUNT =
"mapreduce.multiple-outputs-close-threads";
int DEFAULT_MULTIPLE_OUTPUTS_CLOSE_THREAD_COUNT = 10;
+
+ /**
+ * Enables MapReduce Task-Level Security Enforcement.
+ *
+ * When enabled, the Application Master performs validation of user-submitted
+ * mapper, reducer, and other task-related classes before launching
containers.
+ * This mechanism protects the cluster from running disallowed or unsafe task
+ * implementations as defined by administrator-controlled policies.
+ *
+ * Property type: boolean
+ * Default: false (security disabled)
+ */
+ String SECURITY_ENABLED = "mapreduce.security.enabled";
+ boolean DEFAULT_SECURITY_ENABLED = false;
+
+ /**
+ * MapReduce Task-Level Security Enforcement: Property Domain
+ *
+ * Defines the set of MapReduce configuration keys that represent
user-supplied
+ * class names involved in task execution (e.g., mapper, reducer,
partitioner).
+ * The Application Master examines the values of these properties and checks
+ * whether any referenced class is listed in {@link #SECURITY_DENIED_TASKS}.
+ * Administrators may override this list to expand or restrict the validation
+ * domain.
+ *
+ * Property type: list of configuration keys
+ * Default: all known task-level class properties (see list below)
+ */
+ String SECURITY_PROPERTY_DOMAIN = "mapreduce.security.property-domain";
+ String[] DEFAULT_SECURITY_PROPERTY_DOMAIN = {
+ "mapreduce.job.combine.class",
+ "mapreduce.job.combiner.group.comparator.class",
+ "mapreduce.job.end-notification.custom-notifier-class",
+ "mapreduce.job.inputformat.class",
+ "mapreduce.job.map.class",
+ "mapreduce.job.map.output.collector.class",
+ "mapreduce.job.output.group.comparator.class",
+ "mapreduce.job.output.key.class",
+ "mapreduce.job.output.key.comparator.class",
+ "mapreduce.job.output.value.class",
+ "mapreduce.job.outputformat.class",
+ "mapreduce.job.partitioner.class",
+ "mapreduce.job.reduce.class",
+ "mapreduce.map.output.key.class",
+ "mapreduce.map.output.value.class"
+ };
+
+ /**
+ * MapReduce Task-Level Security Enforcement: Denied Tasks
+ *
Review Comment:
<img width="992" height="386" alt="image"
src="https://github.com/user-attachments/assets/4df10d95-7c03-4e1e-891a-1153adc5c97d";
/>
I dont think this is working for arrays, seems like only const supported
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
