[
https://issues.apache.org/jira/browse/HADOOP-1873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12530585
]
Raghu Angadi commented on HADOOP-1873:
--------------------------------------
It is not clear to me when very generic "pluggable/kerberos" authentication
will be supported very well in HDFS yet. I know that it will be supported in
future. Also this is my first time working with Map/Reduce part of Hadoop at
more than superficial level. I would like to propose modest goals for this jira
and not add major new requirements for for HADOOP-1298 :
# The system is not less secure than it currently is. easy to to do :).
# No chages to either map-reduce config or map reduce code should be required.
# System directory is world writable (at least to create directories).
# use (restrictive?) umask when it is supported in 'fs.create()/mkdirs()'.
# Pass only the "user name" from job client. Either option of jobconf file or
rpc is fine. Jobconf file seems simpler and intuitive, except that conf file
should be world readable, I think it is ok for the first version.
# MapReduce creates a "SimpleUserTicket" from the user name uses it when ever
it is doing file io on behalf of user's job/task.
# Not sure yet what user the mapReduce itself uses. The user that starts it
seems ok for now.
Note that all of this is transparent to the user and improving the
implementation would not break external interfaces. I think this simpler
approach itself add a very useful functionality. I would like to think of this
as making MapReduce work with HDFS permissions and not as a major security
overhaul of Map/Reduce.
I mentioned about the expiring tickets etc earlier more as something "we care
about but not implementing yet".
> User permissions for Map/Reduce
> -------------------------------
>
> Key: HADOOP-1873
> URL: https://issues.apache.org/jira/browse/HADOOP-1873
> Project: Hadoop
> Issue Type: Improvement
> Reporter: Raghu Angadi
> Assignee: Raghu Angadi
>
> HADOOP-1298 and HADOOP-1701 add permissions and pluggable security for DFS
> files and DFS accesses. Same users permission should work for Map/Reduce jobs
> as well.
> User persmission should propegate from client to map/reduce tasks and all the
> file operations should be subject to user permissions. This is transparent to
> the user (i.e. no changes to user code should be required).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
