[
https://issues.apache.org/jira/browse/HADOOP-1873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12529585
]
Raghu Angadi commented on HADOOP-1873:
--------------------------------------
The current proposal is to just a ticket through {{submitJob()}} interface and
propegate it to tasks. It may not work if a ticket has a timout (kerberos?).
This implementation might have to when there is support for short lived
timeout. In that case, HDFS could support a special ticket that can impersonate
other users.:
- when Job tracker accepts a job it first validates the user. If the user is
allowed to run a job, it creates a new ticket (using the configured security
module) and renews the tickets over time (Just like DFSClient would review).
- for Namenode RPCs, it uses a wrapper/nested ticket that includes the user it
wants to impersonate. Namenode verifies the actual user and if that users is
allowed to impersonate others, then executes the RPC as the intended user.
I think for now, we can just pass the JobClient's ticket around.
> User permissions for Map/Reduce
> -------------------------------
>
> Key: HADOOP-1873
> URL: https://issues.apache.org/jira/browse/HADOOP-1873
> Project: Hadoop
> Issue Type: Improvement
> Reporter: Raghu Angadi
> Assignee: Raghu Angadi
>
> HADOOP-1298 and HADOOP-1701 add permissions and pluggable security for DFS
> files and DFS accesses. Same users permission should work for Map/Reduce jobs
> as well.
> User persmission should propegate from client to map/reduce tasks and all the
> file operations should be subject to user permissions. This is transparent to
> the user (i.e. no changes to user code should be required).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
