[jira] Commented: (HADOOP-3698) Implement access control for submitting jobs to queues in the JobTracker

Mon, 18 Aug 2008 01:28:37 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-3698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12623283#action_12623283
 ] 

Hemanth Yamijala commented on HADOOP-3698:
------------------------------------------

- We could have an implementation on the following lines:

{code}
abstract class QueueAccessVerifier {

  enum QueueOperation {
    SUBMIT_JOB,
    LIST_JOBS,
    ADMINISTER_JOBS
    // ..
  }

  private Configuration conf;

  public void setConfiguration(Configuration conf) {
    this.conf = conf;
  }

  public Configuration getConfiguration() {
    return conf;
  }

  // basic initialization, for e.g. read up a conf file which has the list
  // of configured groups and users, and so on.
  public abstract void initialize();

  // verify if the specified operation is allowed on the specified queue
  public abstract boolean verifyAccess(QueueOperation operation, 
                                        String queue);
}
{code}

- The class name of a concrete implementation of QueueAccessVerifier can be 
specified in hadoop's configuration using a new variable, say 
{{hadoop.rm.accessverifier}}, and initialized by the JobTracker.
- Following this, implementations of methods defined in JobSubmissionProtocol, 
such as {{submitJob}} and {{killJob}}, can use the instance of 
QueueAccessVerifier to check if the operation is allowed or not.
- In order to get the currently logged in user and his/her groups, we can 
probably re-use the UserGroupInformation class that HDFS uses for permission 
checking. If we decide to follow that route, JobClient could set the 
{{UGI_PROPERTY_NAME}} just like DFSClient does, by doing a login.

Please let me know if this approach seems fine.

> Implement access control for submitting jobs to queues in the JobTracker
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-3698
>                 URL: https://issues.apache.org/jira/browse/HADOOP-3698
>             Project: Hadoop Core
>          Issue Type: New Feature
>          Components: mapred
>            Reporter: Hemanth Yamijala
>            Assignee: Hemanth Yamijala
>             Fix For: 0.19.0
>
>
> HADOOP-3445 implements multiple queues in the JobTracker as part of the new 
> resource manager for Hadoop (HADOOP-3421). There needs to be a mechanism to 
> control who can submit jobs to a specified queue. This JIRA is for tracking 
> the requirements, approach and implementation for the same.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to