[
https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12844797#action_12844797
]
Ravi Gummadi commented on MAPREDUCE-1542:
-----------------------------------------
Thanks Hemanth for the review. It is fine to remove HDFS related stuff from
this patch.
# I think it makes sense to add checks for queue ACLs refresh, service refresh
and user-to-group mapping refresh also similar to node refresh. I don't see a
semantic difference between these operations and node refresh and they should
be implemented in the same way, I think. But I am OK if these are taken up in a
following JIRA, as their addition may not be in the scope of this JIRA.
Right. Let us do it in a follow-up JIRA.
# Regarding tests, I was expecting to see tests that set up users and groups in
the hadoop.cluster.administrators ACL and then checks that various operations
of view and modify succeed with combinations of both allowed and disallowed
users. Exhaustive tests need not be end-to-end I think - i.e. they need not run
real jobs. Since most of the code goes through JobInProgress.checkAccess, can
we just create fake objects and test the checkAccess method ? And maybe have
some end-to-end tests for very important functions like killJob, killTask and
view job details in a JSP.
TestWebUIAuthorization code changes of the patch already check
(a) view-job as admin through almost all JSPs,
(b) modify-job as admin through almost all JSPs -- includes killJob,
killTask, setJobPriority.
TestNodeRefresh checks refreshNodes() as admin.
I guess these are covering tests we want ?
Will incorporate other comments given above and upload new patch.
> Deprecate mapred.permissions.supergroup in favor of
> hadoop.cluster.administrators
> ---------------------------------------------------------------------------------
>
> Key: MAPREDUCE-1542
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: security
> Reporter: Vinod K V
> Assignee: Ravi Gummadi
> Fix For: 0.22.0
>
> Attachments: 1542.20S.patch, 1542.patch, 1542.v1.patch,
> mapreduce-1542-y20s.patch
>
>
> HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through
> which admins can configure who the superusers/supergroups for the cluster
> are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is
> just a single group). As agreed upon at HADOOP-6568, this should be
> deprecated in favor of {{hadoop.cluster.administrators}}.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
