[
https://issues.apache.org/jira/browse/MAPREDUCE-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125869#comment-13125869
]
Robert Joseph Evans commented on MAPREDUCE-2858:
------------------------------------------------
I am getting started on putting together an initial simple patch. Creating a
Java proxy that just verifies a user and adds the user name to the request on
the back end looks fairly simple. Hopefully the design doc will be out before
the code is finished so that the code can then be updated to match the document.
But as part of this I have been looking for a good pure Java streaming HTML
parser with a compatible license so that I can get a fingerprint of the JS code
in a page. I found [TagSoup|http://mercury.ccil.org/~cowan/XML/tagsoup/] which
is Apache 2.0 as of version 1.2. I have never used it before. It appears up
to date (version 1.2.1 looks like it was released in July). I was wondering
# has anyone ever used this library before and what did they think of it?
# Is there a better solution for parsing out all Javascript/Links from a web
page?
> MRv2 WebApp Security
> --------------------
>
> Key: MAPREDUCE-2858
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-2858
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: applicationmaster, mrv2, security
> Affects Versions: 0.23.0
> Reporter: Luke Lu
> Assignee: Luke Lu
> Priority: Blocker
> Fix For: 0.23.0
>
>
> In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and
> NameNode (NN)) run as "trusted"
> system users, the application masters (AM) run as users who submit the
> application. While this offers great flexibility
> to run multiple version of mapreduce frameworks (including their UI) on the
> same Hadoop cluster, it has significant
> implication for the security of webapps (Please do not discuss company
> specific vulnerabilities here).
> Requirements:
> # Secure authentication for AM (for app/job level ACLs).
> # Webapp security should be optional via site configuration.
> # Support existing pluggable single sign on mechanisms.
> # Should not require per app/user configuration for deployment.
> # Should not require special site-wide DNS configuration for deployment.
> This the top jira for webapp security. A design doc/notes of threat-modeling
> and counter measures will be posted on the wiki.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
