[jira] Commented: (MAPREDUCE-1493) Authorization for job-history pages

Mon, 22 Feb 2010 11:02:54 -0800 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-1493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12836831#action_12836831
 ] 

Ravi Gummadi commented on MAPREDUCE-1493:
-----------------------------------------

Didn't review the whole patch. Patch looks good functionally, when I tested 
this patch on web UI. Some comments:

(1) Though it doesn't seem to be a security hole, taskstatshistory.jsp can 
build taskid from attemptid instead of taking both as parameters.
(2) Similar to jobhistory.jsp, jobtracker.jsp's Retired Jobs need to take only 
logFile as parameter and need not take jobId as parameter.
(3) All jsps modified in MAPREDUCE-1455 have parameter names as "tipid" and 
"taskid" to refer to tip and attempt. But in history related jsps, name 
"taskid" is used to refer to tip sometimes and attempt in some other places. We 
could follow the same names as all of jsps of MAPREDUCE-1455 are following. For 
eg, links of task logs and task counters in taskdetailshistory.jsp.
(4) jobdetailshistory.jsp can display the job ACLs similar to jobdetails.jsp.
(5) Irrespective of this patch, search on the jobhistory page seem to be taking 
only till underscore(excluding underscore) in the username. For eg, if I search 
for user name "ravi_tmp", it gives No Jobs even though I launched jobs as 
ravi_tmp. It gives job
s of ravi_tmp if I give username as ravi. Is this a known issue ?

> Authorization for job-history pages
> -----------------------------------
>
>                 Key: MAPREDUCE-1493
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1493
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: jobtracker, security
>            Reporter: Vinod K V
>            Assignee: Vinod K V
>             Fix For: 0.22.0
>
>         Attachments: MAPREDUCE-1493-20100222.1.txt
>
>
> MAPREDUCE-1455 introduces authorization for most of the Map/Reduce jsp pages 
> and servlets, but left history pages. This JIRA will make sure that 
> authorization checks are made while accessing job-history pages also.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to