[
https://issues.apache.org/jira/browse/MAPREDUCE-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ravi Gummadi updated MAPREDUCE-1455:
------------------------------------
Attachment: 1455.v1.patch
Attaching new patch for MAPREDUCE-1455 on top of latest patch of MAPREDUCE-1307.
Other changes in this patch compared to earlier patch include
(1) jobdetails.jsp shows job-ACLs configured for the job.
(2) Made error page display the job-acls for the particular job.
(3) Fixed an existing security issue in all the modified jsps sothat they build
(a) tipid and jobid from taskid(i.e. attemptid) instead of taking all of them
as parameters, if taskid is input to jsp (b) jobid from tipid instead of taking
jobid also as another parameter, if tipid is input to jsp. Without this fix,
people can modify only jobid in the URL and specify tipid and taskid of other
jobs and can access those tasks' pages.
(4) refactored code to avoid code duplication related to handling
AccessControlException.
Please review and provide your comments.
> Authorization for servlets
> --------------------------
>
> Key: MAPREDUCE-1455
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-1455
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: jobtracker, security, tasktracker
> Reporter: Devaraj Das
> Assignee: Ravi Gummadi
> Fix For: 0.22.0
>
> Attachments: 1455.patch, 1455.v1.patch
>
>
> This jira is about building the authorization for servlets (on top of
> MAPREDUCE-1307). That is, the JobTracker/TaskTracker runs authorization
> checks on web requests based on the configured job permissions. For e.g., if
> the job permission is 600, then no one except the authenticated user can look
> at the job details via the browser. The authenticated user in the servlet can
> be obtained using the HttpServletRequest method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
