[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864181#action_12864181 ] Amareshwari Sriramadasu commented on MAPREDUCE-1542: I created HADOOP-6748, MAPREDUCE-1754 and HDFS-1130 for the proposal @ [this|https://issues.apache.org/jira/browse/MAPREDUCE-1542?focusedCommentId=12862574&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_12862574] > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.20S.1.patch, 1542.20S.patch, 1542.patch, > 1542.v1.patch, mapreduce-1542-y20s.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12863240#action_12863240 ] Vinod K V commented on MAPREDUCE-1542: -- Allen, you could say we didn't understand your intent. Clearly there are differences between the way devs and the services folks think. We could have worked better to reach a proper consensus earlier itself on the JIRA. Anyways, it's good that atleast now everyone is in agreement and we have the right solution finally.. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.20S.1.patch, 1542.20S.patch, 1542.patch, > 1542.v1.patch, mapreduce-1542-y20s.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12862698#action_12862698 ] Allen Wittenauer commented on MAPREDUCE-1542: - You clearly don't want to know my thoughts, given the conversation that happened in this very jira months ago. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.20S.1.patch, 1542.20S.patch, 1542.patch, > 1542.v1.patch, mapreduce-1542-y20s.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12862574#action_12862574 ] Amareshwari Sriramadasu commented on MAPREDUCE-1542: After discussing with Grid operations at Yahoo, we realized that they are in favor of having separate configuration properties for MAPREDUCE and HDFS projects, because usually the conf directory is not different for MAPREDUCE and HDFS, it is just a single HADOOP_CONF_DIR; If the same property name is used for both the administrators it will be confusing and might have other problems if both files are loaded. Currently we have hadoop.clusrer.administrators, mapred.permissions.supergroup and dfs.permissions.supergroup configuration properties for controlling admins. I propose the following change in the configuration for fixing administrator access: 1. Remove hadoop.cluster.administrators 2. Replace mapred.permissions.supergroup with an acl: mapreduce.cluster.administrators 3. The change in HDFS can be decided later, in a different HDFS issue. Will leave dfs.persmissions.supergrop as is, for now. So, when individual daemons create HTTPServer they will set appropriate administrator acl for the HTTPServer. Here, mapred daemons will set the value of mapreduce.cluster.administrators and HDFS daemons will set ' '(space) followed by hdfs.persmissions.supergrop. Thoughts? > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.20S.1.patch, 1542.20S.patch, 1542.patch, > 1542.v1.patch, mapreduce-1542-y20s.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12845035#action_12845035 ] Ravi Gummadi commented on MAPREDUCE-1542: - Right Hemanth. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.20S.patch, 1542.patch, 1542.v1.patch, > mapreduce-1542-y20s.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12844849#action_12844849 ] Hemanth Yamijala commented on MAPREDUCE-1542: - I looked again at TestWebUIAuthorization. It does look like it is covering everything required. Can you confirm if my understanding on this test case is right: Basically, we have configured adminGroup as the admin ACL. 'admin' user is part of the adminGroup (as defined in the custom user to group mapping). Then we drive all operations setting 'admin' as the user. All of these will cover the code path of checking the adminUser because these will be mapped to the adminGroup which is in the administrators ACL. Correct ? > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.20S.patch, 1542.patch, 1542.v1.patch, > mapreduce-1542-y20s.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12844797#action_12844797 ] Ravi Gummadi commented on MAPREDUCE-1542: - Thanks Hemanth for the review. It is fine to remove HDFS related stuff from this patch. # I think it makes sense to add checks for queue ACLs refresh, service refresh and user-to-group mapping refresh also similar to node refresh. I don't see a semantic difference between these operations and node refresh and they should be implemented in the same way, I think. But I am OK if these are taken up in a following JIRA, as their addition may not be in the scope of this JIRA. Right. Let us do it in a follow-up JIRA. # Regarding tests, I was expecting to see tests that set up users and groups in the hadoop.cluster.administrators ACL and then checks that various operations of view and modify succeed with combinations of both allowed and disallowed users. Exhaustive tests need not be end-to-end I think - i.e. they need not run real jobs. Since most of the code goes through JobInProgress.checkAccess, can we just create fake objects and test the checkAccess method ? And maybe have some end-to-end tests for very important functions like killJob, killTask and view job details in a JSP. TestWebUIAuthorization code changes of the patch already check (a) view-job as admin through almost all JSPs, (b) modify-job as admin through almost all JSPs -- includes killJob, killTask, setJobPriority. TestNodeRefresh checks refreshNodes() as admin. I guess these are covering tests we want ? Will incorporate other comments given above and upload new patch. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.20S.patch, 1542.patch, 1542.v1.patch, > mapreduce-1542-y20s.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12844608#action_12844608 ] Hemanth Yamijala commented on MAPREDUCE-1542: - I looked at this patch, and have a few comments: - HttpServer: In the error message, is 'clusterOwner' a familiar term ? Maybe 'User who started the cluster' while more verbose conveys the meaning better. - JobTracker: JobConf.MR_SUPERGROUP reads mapred.permissions.supergroup. Error message here says mapreduce.cluster.permissions.supergroup. - JobTracker.checkAccess is saying that mrOwner and admins can do any operation on the job; however the code is checking queue ACLs first. Hence if the UGI does not have access to do the appropriate operation for the queue, this documentation will be incorrect. - JobACLsManager.checkAccess has a typo in javadoc: "The mrOwner and admins always" -> 'are' is missing. - One reference to mapred.permissions.supergroup in description of mapreduce.job.acl-modify-job in mapred-default.xml - isMROwnerOrAdmin seems out of place in JobTracker. Note that it takes the owner and adminsACL as parameters, and hence can live in any class. Had this not been the case, then the API is fine. I see JobACLsManager as the class responsible for all ACLs checks. So, why can't the mrowner and acls be created inside this class when it is instantiated ? Then, isMROwnerOrAdmin can be implemented directly in JobACLsManager itself. This will also avoid the static call dependencies between TaskTracker classes and JobTracker which also seem a little odd. - I think it makes sense to add checks for queue ACLs refresh, service refresh and user-to-group mapping refresh also similar to node refresh. I don't see a semantic difference between these operations and node refresh and they should be implemented in the same way, I think. But I am OK if these are taken up in a following JIRA, as their addition may not be in the scope of this JIRA. - Regarding tests, I was expecting to see tests that set up users and groups in the hadoop.cluster.administrators ACL and then checks that various operations of view and modify succeed with combinations of both allowed and disallowed users. Exhaustive tests need not be end-to-end I think - i.e. they need not run real jobs. Since most of the code goes through JobInProgress.checkAccess, can we just create fake objects and test the checkAccess method ? And maybe have some end-to-end tests for very important functions like killJob, killTask and view job details in a JSP. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.20S.patch, 1542.patch, 1542.v1.patch, > mapreduce-1542-y20s.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12843458#action_12843458 ] Ravi Gummadi commented on MAPREDUCE-1542: - Configuration without default resources does not load *site.xml files also. So needs to change the logic in buildAdminsACL(). > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.patch, 1542.v1.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12842947#action_12842947 ] Vinod K V commented on MAPREDUCE-1542: -- One more thing, we really don't need the wait loops for the job state to change to KILLED in TestWebUIAuthorization, because we are disabling job-setup/job-cleanup tasks. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12842906#action_12842906 ] Vinod K V commented on MAPREDUCE-1542: -- The patch has gone stale, needs update w.r.t TestWebUIAuthorization. JobTracker.java - The log statement after building acls should also log the configured admin acls. Same in TaskTracker.java - {{buildAdminACLs()}} -- Instead of getting the new configruation property and comparing it with mrOwner, it is better to create a {{Configuration}} object without loading default resources (Hemanth's smart tip!), get the configuration parameter and compare it will null. -- If the new configuration is not present, there is no need for augmenting mrOwner also to the ACL as we specially check for mrOwner everywhere. Correspondingly {{buildACLs()}} doesn't need to take mrOwner as a parameter. Fix the javadoc for MR_SUPERGROUP and JT_SUPERGROUP. The link should be "{...@link CommonConfigurationKeys#HADOOP_CLUSTER_ADMINISTRATORS_PROPERTY}" All tests should use the new configuration property only. We can add a simple unit test for handling deprecation in TestJobConf. Still, there are some occurrences of the old configuration property. Can you do a (case-insensitive) grep for 'supergroup' on the source code and replace'em all? > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > Attachments: 1542.patch > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12841177#action_12841177 ] Ravi Gummadi commented on MAPREDUCE-1542: - OK. Planning to make the config property mapred.permissions.supergroup work. This is done by doing some code changes spicifically for this config property's compatinility. This should be fine as we need this config property only when daemons are starting. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12841071#action_12841071 ] Ravi Gummadi commented on MAPREDUCE-1542: - Removing mapred.permissions.supergroup and the recently renamed mapreduce.jobtracker.permissions.supergroup in favour of the config hadoop.cluster.administrators that can take sequence of users followed by sequence of groups. As mapred.permissions.supergroup is not documented anywhere and as maintaining compatibility between mapred.permissions.supergroup and hadoop.cluster.administrators seems to be very difficult(would need lot of hacking in the code as the values for these 2 keys are different and in different formats), the old config will not be supported with this patch. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V >Assignee: Ravi Gummadi > Fix For: 0.22.0 > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1284#action_1284 ] Vinod K V commented on MAPREDUCE-1542: -- Allen, configuration of commong components is bound to be like this because of the fact that we have a common codebase/project which both MAPREDUCE and HDFS use. The configuration of the common components like Http servers, RPC servers/clients will not have mapred/hdfs specific naming conventions. For e.g., I don't see {{ipc.server.listen.queue.size}} or {{ipc.client.connect.max.retries}} being split into mapred and hdfs specific configuration items despite the fact that JT and NN need different values. I think {{hadoop.cluster.administrators}} also falls under the same category. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V > Fix For: 0.22.0 > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12839784#action_12839784 ] Allen Wittenauer commented on MAPREDUCE-1542: - Every time someone says "oh you can use a separate config file" I need to start thanking them. It just means that Hadoop is that much more operationally complex and helps to make sure that I'll have future employment. :) > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V > Fix For: 0.22.0 > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12839573#action_12839573 ] Vinod K V commented on MAPREDUCE-1542: -- Allen, it is NOT assumed that both frameworks are owned by a single set of admins. Even though the configuration property is named the same, HDFS and MAPRED can both be configured separately to use different set of admins by setting the configuration separately in their own config files. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V > Fix For: 0.22.0 > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MAPREDUCE-1542) Deprecate mapred.permissions.supergroup in favor of hadoop.cluster.administrators
[ https://issues.apache.org/jira/browse/MAPREDUCE-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12839566#action_12839566 ] Allen Wittenauer commented on MAPREDUCE-1542: - Wait, what? This is a horrible idea. I can't believe that such a major shift was hidden in another jira. :( This makes the assumption that both frameworks are owned by a single set of admins. > Deprecate mapred.permissions.supergroup in favor of > hadoop.cluster.administrators > - > > Key: MAPREDUCE-1542 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-1542 > Project: Hadoop Map/Reduce > Issue Type: Bug > Components: security >Reporter: Vinod K V > Fix For: 0.22.0 > > > HADOOP-6568 added the configuration {{hadoop.cluster.administrators}} through > which admins can configure who the superusers/supergroups for the cluster > are. MAPREDUCE itself already has {{mapred.permissions.supergroup}} (which is > just a single group). As agreed upon at HADOOP-6568, this should be > deprecated in favor of {{hadoop.cluster.administrators}}. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.