[
https://issues.apache.org/jira/browse/MAPREDUCE-1664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12902812#action_12902812
]
Vinod K V commented on MAPREDUCE-1664:
--------------------------------------
Started looking at the patch. It's big. So I am summarizing user facing changes
to be explicit.
h3. User facing changes
- The main change is that, now, access to view or modify a job is controlled
by job-acls and queue-acls. To get access to a job, it is enough for a user to
be part of *one of* the access lists. (unlike before, when, one has to be part
of both the lists).
- job-authorization configuration boolean flag is removed.
- both job and queue acls are now driven by "mapred.acls.enabled"
- mapred.acls.enabled is now also needed in TTs conf. (0.20 and pre-0.20 it
was only needed on JT)
- In 21, admins could do refresh queues and switch off and on the queue-acls
feature. This isn't going to happen anymore. Note that this on and off feature
wasn't there in 0.20, and even in 0.21, I can hazard-guess and say it is an
'accidental' feature.
--------------------------------------------------------------------------------------------------------------------------------------
Code-review comments:
- mapred-default.xml: Fix documentation for mapred.acls.enabled to mention
that it is now needed in both JT's and TT's conf files, if at all.
- Deprecate mapred.acls.enabled (fix the documentation too) in favour of
mapreduce.acls.enabled
- aclsEnabled should still be read for the sake of spitting out deprecation
warnings?
- I think its more natural to still keep
QueueManager.getQueueConfigurationParser() as a static factory, that was its
original intention. You can simply pass in the acls enabled flag also as an
argument to the factory method.
- Once you do the above, QueueManager.dumpConfiguration also can remain
static, with no additional arguments.
- JobInProgress.java: you accidentally deleted a line if (jobname ==
null) { jobname = ""; } +720 line after applying patch and +727 before
- JobSubmittedEvent: Please don't mess with deprecated constructors. Create
new ones as you wish. Once you do this, the changes in rumen/20history parser
will not be needed at all.
- JobSubmitter.java: Hard coded internal acl config names are bad. Please use
a constant/method/utility but mark it internal only.
- We should really not bring back the old constant
DeprecatedQueueConfigurationParser.MAPRED_QUEUE_NAMES_KEY and the corresponding
deprecated conf name "mapred.queue.names". Please replace all the uses of this
with the new config file and properties (except possibly when testing the
deprecated configuration)
- JobTracker.java: You can remove AuditLogger.logSuccess call in addJob().
This will be duplicated by the one in aclsmanager.
Tests:
- TestQueueManagerWithJobTracker.testAclsDisabled(), you can remove the
refreshing of queues operation.. it doesn't add any value now.
- TestTaskTrackerLocalization: we were earlier checking permissions of
job-acls file. The file got moved into job-log-dir, but the permissions checks
are missed now.
> Job Acls affect Queue Acls
> --------------------------
>
> Key: MAPREDUCE-1664
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-1664
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: security
> Affects Versions: 0.22.0
> Reporter: Ravi Gummadi
> Assignee: Ravi Gummadi
> Fix For: 0.22.0
>
> Attachments: 1664.20S.3.4.patch, 1664.patch,
> 1664.qAdminsJobView.20S.v1.6.patch, M1664y20s-testfix.patch,
> mr-1664-20-bugfix.patch
>
>
> MAPREDUCE-1307 introduced job ACLs for securing job level operations. So in
> current trunk, queue ACLs and job ACLs are checked(with AND for both acls)
> for allowing job level operations. So for doing operations like killJob,
> killTask and setJobPriority user should be part of both
> mapred.queue.{queuename}.acl-administer-jobs and in
> mapreduce.job.acl-modify-job. This needs to change so that users who are part
> of mapred.queue.{queuename}.acl-administer-jobs will be able to do
> killJob,killTask,setJobPriority and users part of
> mapreduce.job.acl-modify-job will be able to do
> killJob,killTask,setJobPriority.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
