[
https://issues.apache.org/jira/browse/MAPREDUCE-1664?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Allen Wittenauer updated MAPREDUCE-1664:
----------------------------------------
Release Note:
<!-- markdown -->
* Removed aclsEnabled flag from queues configuration files.
* Removed the configuration property
mapreduce.cluster.job-authorization-enabled.
* Added mapreduce.cluster.acls.enabled as the single configuration property in
mapred-default.xml that enables the authorization checks for all job level and
queue level operations.
* To enable authorization of users to do job level and queue level operations,
mapreduce.cluster.acls.enabled is to be set to true in JobTracker's
configuration and in all TaskTrackers' configurations.
* To get access to a job, it is enough for a user to be part of one of the
access lists i.e. either job-acl or queue-admins-acl(unlike before, when, one
has to be part of both the lists).
* Queue administrators(configured via acl-administer-jobs) of a queue can do
all view-job and modify-job operations on all jobs submitted to that queue.
* ClusterOwner(who started the mapreduce cluster) and cluster
administrators(configured via mapreduce.cluster.permissions.supergroup) can do
all job level operations and queue level operations on all jobs on all queues
in that cluster irrespective of job-acls and queue-acls configured.
* JobOwner(who submitted job to a queue) can do all view-job and modify-job
operations on his/her job irrespective of job-acls and queue-acls.
* Since aclsEnabled flag is removed from queues configuration files, "refresh
of queues configuration" will not change mapreduce.cluster.acls.enabled on the
fly. mapreduce.cluster.acls.enabled can be modified only when restarting the
mapreduce cluster.
was:
* Removed aclsEnabled flag from queues configuration files.
* Removed the configuration property
mapreduce.cluster.job-authorization-enabled.
* Added mapreduce.cluster.acls.enabled as the single configuration property in
mapred-default.xml that enables the authorization checks for all job level and
queue level operations.
* To enable authorization of users to do job level and queue level operations,
mapreduce.cluster.acls.enabled is to be set to true in JobTracker's
configuration and in all TaskTrackers' configurations.
* To get access to a job, it is enough for a user to be part of one of the
access lists i.e. either job-acl or queue-admins-acl(unlike before, when, one
has to be part of both the lists).
* Queue administrators(configured via acl-administer-jobs) of a queue can do
all view-job and modify-job operations on all jobs submitted to that queue.
* ClusterOwner(who started the mapreduce cluster) and cluster
administrators(configured via mapreduce.cluster.permissions.supergroup) can do
all job level operations and queue level operations on all jobs on all queues
in that cluster irrespective of job-acls and queue-acls configured.
* JobOwner(who submitted job to a queue) can do all view-job and modify-job
operations on his/her job irrespective of job-acls and queue-acls.
* Since aclsEnabled flag is removed from queues configuration files, "refresh
of queues configuration" will not change mapreduce.cluster.acls.enabled on the
fly. mapreduce.cluster.acls.enabled can be modified only when restarting the
mapreduce cluster.
> Job Acls affect Queue Acls
> --------------------------
>
> Key: MAPREDUCE-1664
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-1664
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: security
> Affects Versions: 0.22.0
> Reporter: Ravi Gummadi
> Assignee: Ravi Gummadi
> Fix For: 0.22.0
>
> Attachments: 1664.20S.3.4.patch, 1664.patch,
> 1664.qAdminsJobView.20S.v1.6.patch, 1664.v1.1.patch, 1664.v1.2.patch,
> 1664.v1.patch, M1664y20s-testfix.patch, mr-1664-20-bugfix.patch
>
>
> MAPREDUCE-1307 introduced job ACLs for securing job level operations. So in
> current trunk, queue ACLs and job ACLs are checked(with AND for both acls)
> for allowing job level operations. So for doing operations like killJob,
> killTask and setJobPriority user should be part of both
> mapred.queue.{queuename}.acl-administer-jobs and in
> mapreduce.job.acl-modify-job. This needs to change so that users who are part
> of mapred.queue.{queuename}.acl-administer-jobs will be able to do
> killJob,killTask,setJobPriority and users part of
> mapreduce.job.acl-modify-job will be able to do
> killJob,killTask,setJobPriority.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
