[ https://issues.apache.org/jira/browse/MAPREDUCE-1664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12902812#action_12902812 ]
Vinod K V commented on MAPREDUCE-1664: -------------------------------------- Started looking at the patch. It's big. So I am summarizing user facing changes to be explicit. h3. User facing changes - The main change is that, now, access to view or modify a job is controlled by job-acls and queue-acls. To get access to a job, it is enough for a user to be part of *one of* the access lists. (unlike before, when, one has to be part of both the lists). - job-authorization configuration boolean flag is removed. - both job and queue acls are now driven by "mapred.acls.enabled" - mapred.acls.enabled is now also needed in TTs conf. (0.20 and pre-0.20 it was only needed on JT) - In 21, admins could do refresh queues and switch off and on the queue-acls feature. This isn't going to happen anymore. Note that this on and off feature wasn't there in 0.20, and even in 0.21, I can hazard-guess and say it is an 'accidental' feature. -------------------------------------------------------------------------------------------------------------------------------------- Code-review comments: - mapred-default.xml: Fix documentation for mapred.acls.enabled to mention that it is now needed in both JT's and TT's conf files, if at all. - Deprecate mapred.acls.enabled (fix the documentation too) in favour of mapreduce.acls.enabled - aclsEnabled should still be read for the sake of spitting out deprecation warnings? - I think its more natural to still keep QueueManager.getQueueConfigurationParser() as a static factory, that was its original intention. You can simply pass in the acls enabled flag also as an argument to the factory method. - Once you do the above, QueueManager.dumpConfiguration also can remain static, with no additional arguments. - JobInProgress.java: you accidentally deleted a line if (jobname == null) { jobname = ""; } +720 line after applying patch and +727 before - JobSubmittedEvent: Please don't mess with deprecated constructors. Create new ones as you wish. Once you do this, the changes in rumen/20history parser will not be needed at all. - JobSubmitter.java: Hard coded internal acl config names are bad. Please use a constant/method/utility but mark it internal only. - We should really not bring back the old constant DeprecatedQueueConfigurationParser.MAPRED_QUEUE_NAMES_KEY and the corresponding deprecated conf name "mapred.queue.names". Please replace all the uses of this with the new config file and properties (except possibly when testing the deprecated configuration) - JobTracker.java: You can remove AuditLogger.logSuccess call in addJob(). This will be duplicated by the one in aclsmanager. Tests: - TestQueueManagerWithJobTracker.testAclsDisabled(), you can remove the refreshing of queues operation.. it doesn't add any value now. - TestTaskTrackerLocalization: we were earlier checking permissions of job-acls file. The file got moved into job-log-dir, but the permissions checks are missed now. > Job Acls affect Queue Acls > -------------------------- > > Key: MAPREDUCE-1664 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1664 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security > Affects Versions: 0.22.0 > Reporter: Ravi Gummadi > Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1664.20S.3.4.patch, 1664.patch, > 1664.qAdminsJobView.20S.v1.6.patch, M1664y20s-testfix.patch, > mr-1664-20-bugfix.patch > > > MAPREDUCE-1307 introduced job ACLs for securing job level operations. So in > current trunk, queue ACLs and job ACLs are checked(with AND for both acls) > for allowing job level operations. So for doing operations like killJob, > killTask and setJobPriority user should be part of both > mapred.queue.{queuename}.acl-administer-jobs and in > mapreduce.job.acl-modify-job. This needs to change so that users who are part > of mapred.queue.{queuename}.acl-administer-jobs will be able to do > killJob,killTask,setJobPriority and users part of > mapreduce.job.acl-modify-job will be able to do > killJob,killTask,setJobPriority. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.