[jira] [Commented] (MAPREDUCE-3903) no admin override to view jobs on mr app master and job history server

Mon, 27 Feb 2012 15:32:12 -0800 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-3903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13217690#comment-13217690
 ] 

Thomas Graves commented on MAPREDUCE-3903:
------------------------------------------

Ok, so it looks like there are a few bugs in the code.  Here is basically what 
I am planning implementing:

- yarn acls/application acls are separate from mapreduce acls.  They only 
control what a user can view/modify on the RM.  This include the admins as 
well. So yarn.admins do not apply to AM/history server.  

- mapreduce job acls are put into application acls when application is 
submitted (this didn't change)

- the mapreduce application master and mapreduce job history server purely use 
the mapreduce job acls - this includes mapreduce.cluster.acls.enabled, 
mapreduce.cluster.administrators, acl-view-job, and acl-modify-job.

This separates out yarn from mapreduce so that someone could be admin for 
mapreduce without being yarn admin and when other apps are ported to yarn, they 
can be separate too.  The reason I don't have yarn admins apply to job history 
server is because the job history server is a mapreduce only component and 
shouldn't be looking at the yarn configs.

The only problem with this still is it appears the AM and job history server 
are using the job configuration so the user can override the settings - this is 
bad!! I need to investigate that more.


                
> no admin override to view jobs on mr app master and job history server
> ----------------------------------------------------------------------
>
>                 Key: MAPREDUCE-3903
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3903
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: mrv2
>            Reporter: Thomas Graves
>            Assignee: Thomas Graves
>            Priority: Critical
>             Fix For: 0.23.0
>
>
> in 1.0 there was a config mapreduce.cluster.administrators that allowed 
> administrators to view anyones job.  That no longer works on yarn.
> yarn has the new config yarn.admin.acl but it appears the mr app master and 
> job history server don't use that.  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to