[
https://issues.apache.org/jira/browse/MAPREDUCE-7523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18040453#comment-18040453
]
ASF GitHub Bot commented on MAPREDUCE-7523:
-------------------------------------------
shkhrgpt opened a new pull request, #8101:
URL: https://github.com/apache/hadoop/pull/8101
<!--
Thanks for sending a pull request!
1. If this is your first time, please read our contributor guidelines:
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
2. Make sure your PR title starts with JIRA issue id, e.g.,
'HADOOP-17799. Your PR title ...'.
-->
### Description of PR
The goal of this feature tp provide a configurable mechanism to control
which users are allowed to execute specific MapReduce jobs. This feature aims
to prevent unauthorized or potentially harmful mapper/reducer implementations
from running within the Hadoop cluster.
In the standard Hadoop MapReduce execution flow:
A MapReduce job is submitted by a user.
The job is registered with the Resource Manager (RM).
The RM assigns the job to a Node Manager (NM), where the Application Master
(AM) for the job is launched.
The AM requests additional containers from the cluster, to be able to start
tasks.
The NM launches those containers, and the containers execute the
mapper/reducer tasks defined by the job.
The proposed feature introduces a security filtering mechanism inside the
Application Master. Before mapper or reducer tasks are launched, the AM will
verify that the user-submitted MapReduce code complies with a cluster-defined
security policy. This ensures that only approved classes or packages can be
executed inside the containers. The goal is to protect the cluster from
unwanted or unsafe task implementations, such as custom code that may introduce
performance, stability, or security risks.
Upon receiving job metadata, the Application Master will:
Check the feature is enabled.
Check the user who submitted the job is allowed to bypass the security check.
Compare classes in job config against the denied task list.
If job is not authorised an exception will be thrown and AM will fail.
New Configs
Enables MapReduce Task-Level Security Enforcement
When enabled, the Application Master performs validation of user-submitted
mapper, reducer, and other task-related classes before launching containers.
This mechanism protects the cluster from running disallowed or unsafe task
implementations as defined by administrator-controlled policies.
Property name: mapreduce.security.enabled
Property type: boolean
Default: false (security disabled)
MapReduce Task-Level Security Enforcement: Property Domain
Defines the set of MapReduce configuration keys that represent user-supplied
class names involved in task execution (e.g., mapper, reducer, partitioner).
The Application Master examines the values of these properties and checks
whether any referenced class is listed in denied tasks. Administrators may
override this list to expand or restrict the validation domain.
Property name: mapreduce.security.property-domain
Property type: list of configuration keys
Default:
mapreduce.job.combine.class
mapreduce.job.combiner.group.comparator.class
mapreduce.job.end-notification.custom-notifier-class
mapreduce.job.inputformat.class
mapreduce.job.map.class
mapreduce.job.map.output.collector.class
mapreduce.job.output.group.comparator.class
mapreduce.job.output.key.class
mapreduce.job.output.key.comparator.class
mapreduce.job.output.value.class
mapreduce.job.outputformat.class
mapreduce.job.partitioner.class
mapreduce.job.reduce.class
mapreduce.map.output.key.class
mapreduce.map.output.value.class
MapReduce Task-Level Security Enforcement: Denied Tasks
Specifies the list of disallowed task implementation classes or packages. If
a user submits a job whose mapper, reducer, or other task-related classes match
any entry in this blacklist.
Property name: mapreduce.security.denied-tasks
Property type: list of class name or package patterns
Default: empty
Example:
org.apache.hadoop.streaming,org.apache.hadoop.examples.QuasiMonteCarlo
MapReduce Task-Level Security Enforcement: Allowed Users
Specifies users who may bypass the blacklist defined in denied tasks. This
whitelist is intended for trusted or system-level workflows that may
legitimately require the use of restricted task implementations. If the
submitting user is listed here, blacklist enforcement is skipped, although
standard Hadoop authentication and ACL checks still apply.
Property name: mapreduce.security.allowed-users
Property type: list of usernames
Default: empty
Example: alice,bob
### How was this patch tested?
UT was run
### For code changes:
- [ ] Does the title or this PR starts with the corresponding JIRA issue id
(e.g. 'HADOOP-17799. Your PR title ...')?
- [ ] Object storage: have the integration tests been executed and the
endpoint declared according to the connector-specific documentation?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`,
`NOTICE-binary` files?
> MapReduce Task-Level Security Enforcement
> -----------------------------------------
>
> Key: MAPREDUCE-7523
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-7523
> Project: Hadoop Map/Reduce
> Issue Type: New Feature
> Components: mrv2
> Reporter: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> h2. Overview
> The goal of this feature to provide a configurable mechanism to control which
> users are allowed to execute specific MapReduce jobs.
> This feature aims to prevent unauthorized or potentially harmful
> mapper/reducer implementations from running within the Hadoop cluster.
> In the standard Hadoop MapReduce execution flow:
> 1) A MapReduce job is submitted by a user.
> 2) The job is registered with the Resource Manager (RM).
> 3) The RM assigns the job to a Node Manager (NM), where the Application
> Master (AM) for the job is launched.
> 4) The AM requests additional containers from the cluster, to be able to
> start tasks.
> 5) The NM launches those containers, and the containers execute the
> mapper/reducer tasks defined by the job.
> The proposed feature introduces a security filtering mechanism inside the
> Application Master.
> Before mapper or reducer tasks are launched, the AM will verify that the
> user-submitted MapReduce code complies with a cluster-defined security
> policy.
> This ensures that only approved classes or packages can be executed inside
> the containers.
> The goal is to protect the cluster from unwanted or unsafe task
> implementations, such as custom code that may introduce performance,
> stability, or security risks.
> Upon receiving job metadata, the Application Master will:
> 1) Check the feature is enabled.
> 2) Check the user who submitted the job is allowed to bypass the security
> check.
> 3) Compare classes in job config against the denied task list.
> 4) If job is not authorised an exception will be thrown and AM will fail.
> h2. New Configs
> h5. Enables MapReduce Task-Level Security Enforcement
> When enabled, the Application Master performs validation of user-submitted
> mapper, reducer, and other task-related classes before launching containers.
> This mechanism protects the cluster from running disallowed or unsafe task
> implementations as defined by administrator-controlled policies.
> - Property name: mapreduce.security.enabled
> - Property type: boolean
> - Default: false (security disabled)
> h5. MapReduce Task-Level Security Enforcement: Property Domain
> Defines the set of MapReduce configuration keys that represent user-supplied
> class names involved in task execution (e.g., mapper, reducer, partitioner).
> The Application Master examines the values of these properties and checks
> whether any referenced class is listed in denied tasks.
> Administrators may override this list to expand or restrict the validation
> domain.
> - Property name: mapreduce.security.property-domain
> - Property type: list of configuration keys
> - Default:
> * mapreduce.job.combine.class
> * mapreduce.job.combiner.group.comparator.class
> * mapreduce.job.end-notification.custom-notifier-class
> * mapreduce.job.inputformat.class
> * mapreduce.job.map.class
> * mapreduce.job.map.output.collector.class
> * mapreduce.job.output.group.comparator.class
> * mapreduce.job.output.key.class
> * mapreduce.job.output.key.comparator.class
> * mapreduce.job.output.value.class
> * mapreduce.job.outputformat.class
> * mapreduce.job.partitioner.class
> * mapreduce.job.reduce.class
> * mapreduce.map.output.key.class
> * mapreduce.map.output.value.class
> h5. MapReduce Task-Level Security Enforcement: Denied Tasks
> Specifies the list of disallowed task implementation classes or packages.
> If a user submits a job whose mapper, reducer, or other task-related classes
> match any entry in this blacklist.
> - Property name: mapreduce.security.denied-tasks
> - Property type: list of class name or package patterns
> - Default: empty
> - Example:
> org.apache.hadoop.streaming,org.apache.hadoop.examples.QuasiMonteCarlo
> h5. MapReduce Task-Level Security Enforcement: Allowed Users
> Specifies users who may bypass the blacklist defined in denied tasks.
> This whitelist is intended for trusted or system-level workflows that may
> legitimately require the use of restricted task implementations.
> If the submitting user is listed here, blacklist enforcement is skipped,
> although standard Hadoop authentication and ACL checks still apply.
> - Property name: mapreduce.security.allowed-users
> - Property type: list of usernames
> - Default: empty
> - Example: alice,bob
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
