[ https://issues.apache.org/jira/browse/MAPREDUCE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12830633#action_12830633 ]
Vinod K V commented on MAPREDUCE-1307: -------------------------------------- The above proposal has some idiosyncrasies and can be improved: - The permissions model is not uniform across jobs and queues. Jobs use POSIX model while queues use ACLs. Having the same model can simplify the code a bit at the same time, users/admins can use the same model to describe permissions. - Job permissions don't strictly follow the POSIX model -- executable bit will be ignored completely and has no meaning -- a job can be owned by multiple groups whereas a file can only be owned by a single group -- because permissions on queues(directories) are still expressed as ACLs, it is not possible to extend the job-permissions to say, implement chmod on the job. The patch currently assumes that the permissions cannot be changed after submission, but this assumption can change in the future. -- It is difficult to extend the permissions in general too - every operation has to be (forcibly) baked into either the readability or the writability category. So, I propose we change the job-permissions also to use ACLs. The only downside is that we lose the simple way of configuring job-permissions using octal numbers, but I think that's OK because even now queues ARE being described in terms of ACLs. Thoughts? > Introduce the concept of Job Permissions > ---------------------------------------- > > Key: MAPREDUCE-1307 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1307 > Project: Hadoop Map/Reduce > Issue Type: Sub-task > Components: security > Reporter: Devaraj Das > Fix For: 0.22.0 > > Attachments: 1307-early-1.patch > > > It would be good to define the notion of job permissions analogous to file > permissions. Then the JobTracker can restrict who can "read" (e.g. look at > the job page) or "modify" (e.g. kill) jobs. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.