[
https://issues.apache.org/jira/browse/MAPREDUCE-7523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18040485#comment-18040485
]
ASF GitHub Bot commented on MAPREDUCE-7523:
-------------------------------------------
hadoop-yetus commented on PR #8101:
URL: https://github.com/apache/hadoop/pull/8101#issuecomment-3573465894
:broken_heart: **-1 overall**
| Vote | Subsystem | Runtime | Logfile | Comment |
|:----:|----------:|--------:|:--------:|:-------:|
| +0 :ok: | reexec | 0m 43s | | Docker mode activated. |
|||| _ Prechecks _ |
| +1 :green_heart: | dupname | 0m 0s | | No case conflicting files
found. |
| +0 :ok: | codespell | 0m 0s | | codespell was not available. |
| +0 :ok: | detsecrets | 0m 0s | | detect-secrets was not available.
|
| +0 :ok: | xmllint | 0m 0s | | xmllint was not available. |
| +0 :ok: | markdownlint | 0m 0s | | markdownlint was not available.
|
| +1 :green_heart: | @author | 0m 0s | | The patch does not contain
any @author tags. |
| +1 :green_heart: | test4tests | 0m 0s | | The patch appears to
include 1 new or modified test files. |
|||| _ trunk Compile Tests _ |
| +0 :ok: | mvndep | 9m 3s | | Maven dependency ordering for branch |
| +1 :green_heart: | mvninstall | 15m 56s | | trunk passed |
| +1 :green_heart: | compile | 8m 52s | | trunk passed with JDK
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | compile | 8m 51s | | trunk passed with JDK
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | checkstyle | 1m 24s | | trunk passed |
| +1 :green_heart: | mvnsite | 1m 22s | | trunk passed |
| +1 :green_heart: | javadoc | 1m 18s | | trunk passed with JDK
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | javadoc | 1m 7s | | trunk passed with JDK
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| +0 :ok: | spotbugs | 0m 29s | | branch/hadoop-project no spotbugs
output file (spotbugsXml.xml) |
| -1 :x: | spotbugs | 0m 58s |
[/branch-spotbugs-hadoop-mapreduce-project_hadoop-mapreduce-client_hadoop-mapreduce-client-core-warnings.html](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8101/1/artifact/out/branch-spotbugs-hadoop-mapreduce-project_hadoop-mapreduce-client_hadoop-mapreduce-client-core-warnings.html)
|
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core
in trunk has 178 extant spotbugs warnings. |
| -1 :x: | spotbugs | 0m 41s |
[/branch-spotbugs-hadoop-mapreduce-project_hadoop-mapreduce-client_hadoop-mapreduce-client-app-warnings.html](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8101/1/artifact/out/branch-spotbugs-hadoop-mapreduce-project_hadoop-mapreduce-client_hadoop-mapreduce-client-app-warnings.html)
|
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app in
trunk has 39 extant spotbugs warnings. |
| +1 :green_heart: | shadedclient | 14m 44s | | branch has no errors
when building and testing our client artifacts. |
|||| _ Patch Compile Tests _ |
| +0 :ok: | mvndep | 0m 19s | | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 0m 46s | | the patch passed |
| +1 :green_heart: | compile | 8m 27s | | the patch passed with JDK
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | javac | 8m 27s | | the patch passed |
| +1 :green_heart: | compile | 8m 44s | | the patch passed with JDK
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | javac | 8m 44s | | the patch passed |
| +1 :green_heart: | blanks | 0m 0s | | The patch has no blanks
issues. |
| +1 :green_heart: | checkstyle | 1m 34s | | the patch passed |
| +1 :green_heart: | mvnsite | 1m 21s | | the patch passed |
| +1 :green_heart: | javadoc | 1m 10s | | the patch passed with JDK
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | javadoc | 1m 9s | | the patch passed with JDK
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| +0 :ok: | spotbugs | 0m 20s | | hadoop-project has no data from
spotbugs |
| +1 :green_heart: | shadedclient | 14m 44s | | patch has no errors
when building and testing our client artifacts. |
|||| _ Other Tests _ |
| +1 :green_heart: | unit | 0m 19s | | hadoop-project in the patch
passed. |
| +1 :green_heart: | unit | 6m 29s | | hadoop-mapreduce-client-core in
the patch passed. |
| +1 :green_heart: | unit | 5m 56s | | hadoop-mapreduce-client-app in
the patch passed. |
| -1 :x: | asflicense | 0m 40s |
[/results-asflicense.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8101/1/artifact/out/results-asflicense.txt)
| The patch generated 1 ASF License warnings. |
| | | 122m 47s | | |
| Subsystem | Report/Notes |
|----------:|:-------------|
| Docker | ClientAPI=1.52 ServerAPI=1.52 base:
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8101/1/artifact/out/Dockerfile
|
| GITHUB PR | https://github.com/apache/hadoop/pull/8101 |
| Optional Tests | dupname asflicense compile javac javadoc mvninstall
mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint
markdownlint |
| uname | Linux 9ea0fa9fd5c0 5.15.0-153-generic #163-Ubuntu SMP Thu Aug 7
16:37:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/bin/hadoop.sh |
| git revision | trunk / e3be9d537fb1437c50de7ebcd7c91dd050c762be |
| Default Java | Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| Multi-JDK versions |
/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
/usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| Test Results |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8101/1/testReport/ |
| Max. process+thread count | 1592 (vs. ulimit of 5500) |
| modules | C: hadoop-project
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U:
. |
| Console output |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8101/1/console |
| versions | git=2.25.1 maven=3.9.11 spotbugs=4.9.7 |
| Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
This message was automatically generated.
> MapReduce Task-Level Security Enforcement
> -----------------------------------------
>
> Key: MAPREDUCE-7523
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-7523
> Project: Hadoop Map/Reduce
> Issue Type: New Feature
> Components: mrv2
> Reporter: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> h2. Overview
> The goal of this feature to provide a configurable mechanism to control which
> users are allowed to execute specific MapReduce jobs.
> This feature aims to prevent unauthorized or potentially harmful
> mapper/reducer implementations from running within the Hadoop cluster.
> In the standard Hadoop MapReduce execution flow:
> 1) A MapReduce job is submitted by a user.
> 2) The job is registered with the Resource Manager (RM).
> 3) The RM assigns the job to a Node Manager (NM), where the Application
> Master (AM) for the job is launched.
> 4) The AM requests additional containers from the cluster, to be able to
> start tasks.
> 5) The NM launches those containers, and the containers execute the
> mapper/reducer tasks defined by the job.
> The proposed feature introduces a security filtering mechanism inside the
> Application Master.
> Before mapper or reducer tasks are launched, the AM will verify that the
> user-submitted MapReduce code complies with a cluster-defined security
> policy.
> This ensures that only approved classes or packages can be executed inside
> the containers.
> The goal is to protect the cluster from unwanted or unsafe task
> implementations, such as custom code that may introduce performance,
> stability, or security risks.
> Upon receiving job metadata, the Application Master will:
> 1) Check the feature is enabled.
> 2) Check the user who submitted the job is allowed to bypass the security
> check.
> 3) Compare classes in job config against the denied task list.
> 4) If job is not authorised an exception will be thrown and AM will fail.
> h2. New Configs
> h5. Enables MapReduce Task-Level Security Enforcement
> When enabled, the Application Master performs validation of user-submitted
> mapper, reducer, and other task-related classes before launching containers.
> This mechanism protects the cluster from running disallowed or unsafe task
> implementations as defined by administrator-controlled policies.
> - Property name: mapreduce.security.enabled
> - Property type: boolean
> - Default: false (security disabled)
> h5. MapReduce Task-Level Security Enforcement: Property Domain
> Defines the set of MapReduce configuration keys that represent user-supplied
> class names involved in task execution (e.g., mapper, reducer, partitioner).
> The Application Master examines the values of these properties and checks
> whether any referenced class is listed in denied tasks.
> Administrators may override this list to expand or restrict the validation
> domain.
> - Property name: mapreduce.security.property-domain
> - Property type: list of configuration keys
> - Default:
> * mapreduce.job.combine.class
> * mapreduce.job.combiner.group.comparator.class
> * mapreduce.job.end-notification.custom-notifier-class
> * mapreduce.job.inputformat.class
> * mapreduce.job.map.class
> * mapreduce.job.map.output.collector.class
> * mapreduce.job.output.group.comparator.class
> * mapreduce.job.output.key.class
> * mapreduce.job.output.key.comparator.class
> * mapreduce.job.output.value.class
> * mapreduce.job.outputformat.class
> * mapreduce.job.partitioner.class
> * mapreduce.job.reduce.class
> * mapreduce.map.output.key.class
> * mapreduce.map.output.value.class
> h5. MapReduce Task-Level Security Enforcement: Denied Tasks
> Specifies the list of disallowed task implementation classes or packages.
> If a user submits a job whose mapper, reducer, or other task-related classes
> match any entry in this blacklist.
> - Property name: mapreduce.security.denied-tasks
> - Property type: list of class name or package patterns
> - Default: empty
> - Example:
> org.apache.hadoop.streaming,org.apache.hadoop.examples.QuasiMonteCarlo
> h5. MapReduce Task-Level Security Enforcement: Allowed Users
> Specifies users who may bypass the blacklist defined in denied tasks.
> This whitelist is intended for trusted or system-level workflows that may
> legitimately require the use of restricted task implementations.
> If the submitting user is listed here, blacklist enforcement is skipped,
> although standard Hadoop authentication and ACL checks still apply.
> - Property name: mapreduce.security.allowed-users
> - Property type: list of usernames
> - Default: empty
> - Example: alice,bob
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
