[jira] Commented: (MAPREDUCE-1457) For secure job execution, couple of more UserGroupInformation.doAs needs to be added

Sat, 06 Feb 2010 22:55:35 -0800 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12830670#action_12830670
 ] 

Devaraj Das commented on MAPREDUCE-1457:
----------------------------------------

Ok the individual changes:
1) In the JobTracker, the getStagingArea RPC needs to construct a path for the 
user to write job files to. The getStagingArea does a getFileSystem and 
internally the getFileSystem sets up a connection to the namenode. For this 
connection, the JobTracker's credential should be used. That's why the 
mrOwner.doAs in that method is required.
2) In Child.java, the task authenticates to the TaskTracker using the jobtoken. 
The username in the jobtoken is jobId. The doAs block done using taskOwner is 
required so that the username mentioned in the token and the one doing the 
operation matches.
3) In Child.java, the task execution and the task cleanup are within doAs 
blocks and those doAs blocks are run as the user submitting the job. In the 
former part, the task communicates with the namenode, and in the latter, it 
could potentially communicate with the namenode (abortTask creates a connection 
to the namenode, etc). These are within doAs blocks so that the username 
mentioned in the delegation token (the job submitting user) matches with the 
user performing the operation.

> For secure job execution, couple of more UserGroupInformation.doAs needs to 
> be added
> ------------------------------------------------------------------------------------
>
>                 Key: MAPREDUCE-1457
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1457
>             Project: Hadoop Map/Reduce
>          Issue Type: Sub-task
>    Affects Versions: 0.22.0
>            Reporter: Devaraj Das
>            Assignee: Jakob Homan
>             Fix For: 0.22.0
>
>         Attachments: MAPREDUCE-1457-BPY20.patch, MAPREDUCE-1457-BPY20.patch, 
> MAPREDUCE-1457.patch, MAPREDUCE-1457.patch, MAPREDUCE-1457.patch
>
>
> During our testing in a kerberos environment, we had to add 
> UserGroupInformation.doAs blocks in certain places.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to