[ 
https://issues.apache.org/jira/browse/SQOOP-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15576119#comment-15576119
 ] 

Daryn Sharp commented on SQOOP-3018:
------------------------------------

Not impersonating the entire job is security concern.  Allowing the user to 
alter the classpath and/or provide custom job code that will run as a 
privileged user isn't a concern, it's a giant security hole.  Trying to prevent 
me from attaching a debugger to get access to credentials (which should be 
mine?) isn't a concern when I can hack the job from the inside.

The real use case is no job can be trusted to run as a privileged user that 
selectively impersonates normal users.  Jobs must run as non-priviledged users.

> Hadoop MapReduce job submission be done in client user UGI?
> -----------------------------------------------------------
>
>                 Key: SQOOP-3018
>                 URL: https://issues.apache.org/jira/browse/SQOOP-3018
>             Project: Sqoop
>          Issue Type: New Feature
>          Components: connectors/hdfs
>    Affects Versions: 1.99.7
>            Reporter: Yan Braun
>         Attachments: SQOOP-3018.patch
>
>
> Hdfs Connector read and write to HDFS in client user UGI when proxyUser is 
> enabled.  But MapReduce job submission is done using Sqoop user UGI, which 
> makes all jobs from different users run in Sqoop user's hadoop queue  instead 
> of client users' own queue.   
> This is a follow-up JIRA after our discussions with Abraham Fine on whether 
> this will be on sqoop2 road map in the near future.  Thanks.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to