[jira] [Commented] (MAPREDUCE-2858) MRv2 WebApp Security

[Luke Lu (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13126804#comment-13126804
 ] 

Luke Lu commented on MAPREDUCE-2858:
------------------------------------

bq. The only allowed access is via the proxy (no HDFS, etc)

This is only for webapp. The usual Hdfs security over kerberos works fine.

bq. The filter drops all embedded content. Bye-bye MR SVG graphs.

Again, you're commenting without reading the design notes here. The user can 
use whatever he wants in the webapp. Embedded content is fine for other users 
as well as long as src/href is relative *and/or* whitelisted.

bq. This is much better than a black box that gives a false sense of security.

Actually, it's the code signing that is a black box that gives a false sense of 
security. The proxy don't trust user submitted code per request with mandatory 
logging. 

                
> MRv2 WebApp Security
> --------------------
>
>                 Key: MAPREDUCE-2858
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-2858
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>          Components: applicationmaster, mrv2, security
>    Affects Versions: 0.23.0
>            Reporter: Luke Lu
>            Assignee: Luke Lu
>            Priority: Blocker
>             Fix For: 0.23.0
>
>
> In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and 
> NameNode (NN)) run as "trusted"
> system users, the application masters (AM) run as users who submit the 
> application. While this offers great flexibility
> to run multiple version of mapreduce frameworks (including their UI) on the 
> same Hadoop cluster, it has significant
> implication for the security of webapps (Please do not discuss company 
> specific vulnerabilities here).
> Requirements:
> # Secure authentication for AM (for app/job level ACLs).
> # Webapp security should be optional via site configuration.
> # Support existing pluggable single sign on mechanisms.
> # Should not require per app/user configuration for deployment.
> # Should not require special site-wide DNS configuration for deployment.
> This the top jira for webapp security. A design doc/notes of threat-modeling 
> and counter measures will be posted on the wiki.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira