[
https://issues.apache.org/jira/browse/SQOOP-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549455#comment-15549455
]
Jarek Jarcec Cecho commented on SQOOP-3018:
-------------------------------------------
If my memory serves me well, we did not want to impersonate the whole job as
that would expose information that should be exposed. E.g. if malicious user
that doesn't have credentials to given database - but have a privilege to use
them in Sqoop 2 server through link object, he could potentially attach
debugger to the impersonated process and get the credentials. Not impersonating
the whole job, means that there is no such attack vector.
I'm however not sure if that is still applicable to the current code base or
not.
> Hadoop MapReduce job submission be done in client user UGI?
> -----------------------------------------------------------
>
> Key: SQOOP-3018
> URL: https://issues.apache.org/jira/browse/SQOOP-3018
> Project: Sqoop
> Issue Type: New Feature
> Components: connectors/hdfs
> Affects Versions: 1.99.7
> Reporter: Yan Braun
>
> Hdfs Connector read and write to HDFS in client user UGI when proxyUser is
> enabled. But MapReduce job submission is done using Sqoop user UGI, which
> makes all jobs from different users run in Sqoop user's hadoop queue instead
> of client users' own queue.
> This is a follow-up JIRA after our discussions with Abraham Fine on whether
> this will be on sqoop2 road map in the near future. Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
