[
https://issues.apache.org/jira/browse/MAPREDUCE-181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12792077#action_12792077
]
Owen O'Malley commented on MAPREDUCE-181:
-----------------------------------------
I think that JobInfo should just contain the user as a Text. Otherwise, we'll
end up with trouble with the upcoming changes to UGI.
The job tracker should:
# fail to come up if the system directory is owned by the wrong user
# chmod it to 700, if it isn't already. (And log a warning about the change).
In JobTracker.java, you have some spurious spacing changes.
The job client's job submission should fail unless:
# the staging directory doesn't exist (it will be created with 700)
# the owner is the current user
# the permission isn't 700
Let's make the client side logging messages about the split generation debugs
instead of info.
This is looking good. I'm really looking forward to have job submission secure.
*smile*
> Secure job submission
> ----------------------
>
> Key: MAPREDUCE-181
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-181
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Reporter: Amar Kamat
> Assignee: Devaraj Das
> Fix For: 0.22.0
>
> Attachments: 181-1.patch, 181-2.patch, 181-3.patch, 181-3.patch,
> 181-4.patch, hadoop-3578-branch-20-example-2.patch,
> hadoop-3578-branch-20-example.patch, HADOOP-3578-v2.6.patch,
> HADOOP-3578-v2.7.patch, MAPRED-181-v3.32.patch, MAPRED-181-v3.8.patch
>
>
> Currently the jobclient accesses the {{mapred.system.dir}} to add job
> details. Hence the {{mapred.system.dir}} has the permissions of
> {{rwx-wx-wx}}. This could be a security loophole where the job files might
> get overwritten/tampered after the job submission.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
