[jira] Commented: (MAPREDUCE-1455) Authorization for servlets

Ravi Gummadi (JIRA) Wed, 10 Feb 2010 11:50:57 -0800

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12832149#action_12832149
 ]


Ravi Gummadi commented on MAPREDUCE-1455:
-----------------------------------------

(1) As history files don't have job ACLs stored along with them, accessing 
history related web pages will not be protected as part of this JIRA. That can 
be done as an improvement to this JIRA later.

(2) This JIRA focuses on authorization of users against viewing/modifying jobs 
only. So no authorization for web pages that have info about queues, machines.

(3) As tasktracker doesn't have the job ACLs, when any one tries to access task 
logs of a job, I propose we store the job ACLs in a file say job-acls.xml) when 
task log files are created by taskTracker. And tasktracker will read this 
job-acls.xml when somebody tries to access task logs using web UI and does the 
authorization. I guess job-acls.xml can contain only the 2 config properties 
mapreduce.job.user.name and mapreduce.job.acl-view-job.

(4) Similar to the supergroup existing in jobtracker now, we would need 
supergroup(same config property) to be set on taskTracker also. This is to 
allow members of supergroup to access task logs. I will deprecate the earlier 
jobtracker config property and add one at cluster level.

Thoughts ?

> Authorization for servlets
> --------------------------
>
>                 Key: MAPREDUCE-1455
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1455
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>            Reporter: Devaraj Das
>            Assignee: Ravi Gummadi
>             Fix For: 0.22.0
>
>
> This jira is about building the authorization for servlets (on top of 
> MAPREDUCE-1307). That is, the JobTracker/TaskTracker runs authorization 
> checks on web requests based on the configured job permissions. For e.g., if 
> the job permission is 600, then no one except the authenticated user can look 
> at the job details via the browser. The authenticated user in the servlet can 
> be obtained using the HttpServletRequest method.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (MAPREDUCE-1455) Authorization for servlets

Reply via email to