[
https://issues.apache.org/jira/browse/MAPREDUCE-181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Devaraj Das updated MAPREDUCE-181:
----------------------------------
Attachment: 181-6.patch
In my local tests, i discovered that i had to do a bunch of changes to work
around the extra checks that i introduced in the last patch. One of them being
check for ownership of the staging dir now includes a check for the UGI of the
submitting user (otherwise tests that fake UGI were failing during job
submission). I also introduced a method for getting the staging area location
from the JobTracker (so that the user's home dir doesn't get clobbered with
files in .staging dir when tests are run).
I am still testing this patch. With the server side groups patch in, i might
need to do some minor changes in the testcases for them to work in the new
model of job submission. But this should mostly be good overall.. Up for
review.
> Secure job submission
> ----------------------
>
> Key: MAPREDUCE-181
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-181
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Reporter: Amar Kamat
> Assignee: Devaraj Das
> Fix For: 0.22.0
>
> Attachments: 181-1.patch, 181-2.patch, 181-3.patch, 181-3.patch,
> 181-4.patch, 181-5.1.patch, 181-5.1.patch, 181-6.patch,
> hadoop-3578-branch-20-example-2.patch, hadoop-3578-branch-20-example.patch,
> HADOOP-3578-v2.6.patch, HADOOP-3578-v2.7.patch, MAPRED-181-v3.32.patch,
> MAPRED-181-v3.8.patch
>
>
> Currently the jobclient accesses the {{mapred.system.dir}} to add job
> details. Hence the {{mapred.system.dir}} has the permissions of
> {{rwx-wx-wx}}. This could be a security loophole where the job files might
> get overwritten/tampered after the job submission.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
