[
https://issues.apache.org/jira/browse/MAPREDUCE-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12836528#action_12836528
]
Ravi Gummadi commented on MAPREDUCE-1455:
-----------------------------------------
>> What about the configuration webinterface.private.actions? It was originally
>> added as part of HADOOP-1484 'cause authentication/authorization were
>> missing back then. Now that we have them in place, it doesn't look like we
>> really need it anymore. I'm fine fixing this in another issue.
If we remove this config now, the default behaviour changes --- in the sense
that any user can do modify operations on any job(by default --- i.e. if user
doesn't enable authorization). This doesn't look good. We need to think of this
more and decide.
>> The variable 'conf' should actually be removed, instead of just putting a
>> warning comment about its usage. We should fix the usage of this conf object
>> in this patch itself, which I find is only at one place in JSPUtil.
Hmm. This would need changes like JSPUtil.getJobInfo() taking conf as another
parameter ---- in turn leads to code changes in all history related JSPs, which
are not touched by this patch. So would it be better to handle this in
MAPREDUCE-1493 as that is using getJobInfo() and in turn this "conf" variable ?
>> Can we move the UGI.doAs() checks also from all the JSPs into
>> JSPUtil.checkAccessAndGetJob()?...
OK
>> Given above, we can even overload JSPUtil.checkAccessAndGetJob(), (add a new
>> JobOperation enum?) and make it something like
>> JSPUtil.checkAccessAndDoOperation(JobOperation). That will make things much
>> much simpler, I think.
Hmm. This may make the method checkAccessAndDoOperation() complex as it needs
to return JobInProgress object in one case and doesn't have to return anything
in other cases(like killJob, setJobPriority, killTask, failTask). Also it needs
to take different parameters based on the operation it is going to do. What do
you say ?
> Authorization for servlets
> --------------------------
>
> Key: MAPREDUCE-1455
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-1455
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: jobtracker, security, tasktracker
> Reporter: Devaraj Das
> Assignee: Ravi Gummadi
> Fix For: 0.22.0
>
> Attachments: 1455.patch, 1455.v1.patch
>
>
> This jira is about building the authorization for servlets (on top of
> MAPREDUCE-1307). That is, the JobTracker/TaskTracker runs authorization
> checks on web requests based on the configured job permissions. For e.g., if
> the job permission is 600, then no one except the authenticated user can look
> at the job details via the browser. The authenticated user in the servlet can
> be obtained using the HttpServletRequest method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
