[
https://issues.apache.org/jira/browse/MAPREDUCE-7523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18067669#comment-18067669
]
ASF GitHub Bot commented on MAPREDUCE-7523:
-------------------------------------------
K0K0V0K commented on code in PR #8100:
URL: https://github.com/apache/hadoop/pull/8100#discussion_r2975230949
##########
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRConfig.java:
##########
@@ -133,5 +133,82 @@ public interface MRConfig {
boolean DEFAULT_MASTER_WEBAPP_UI_ACTIONS_ENABLED = true;
String MULTIPLE_OUTPUTS_CLOSE_THREAD_COUNT =
"mapreduce.multiple-outputs-close-threads";
int DEFAULT_MULTIPLE_OUTPUTS_CLOSE_THREAD_COUNT = 10;
+
+ /**
+ * Enables MapReduce Task-Level Security Enforcement.
+ *
+ * When enabled, the Application Master performs validation of user-submitted
+ * mapper, reducer, and other task-related classes before launching
containers.
+ * This mechanism protects the cluster from running disallowed or unsafe task
+ * implementations as defined by administrator-controlled policies.
+ *
+ * Property type: boolean
+ * Default: false (security disabled)
+ */
+ String SECURITY_ENABLED = "mapreduce.security.enabled";
+ boolean DEFAULT_SECURITY_ENABLED = false;
+
+ /**
+ * MapReduce Task-Level Security Enforcement: Property Domain
+ *
+ * Defines the set of MapReduce configuration keys that represent
user-supplied
+ * class names involved in task execution (e.g., mapper, reducer,
partitioner).
+ * The Application Master examines the values of these properties and checks
+ * whether any referenced class is listed in {@link #SECURITY_DENIED_TASKS}.
+ * Administrators may override this list to expand or restrict the validation
+ * domain.
+ *
+ * Property type: list of configuration keys
+ * Default: all known task-level class properties (see list below)
+ */
+ String SECURITY_PROPERTY_DOMAIN = "mapreduce.security.property-domain";
+ String[] DEFAULT_SECURITY_PROPERTY_DOMAIN = {
+ "mapreduce.job.combine.class",
+ "mapreduce.job.combiner.group.comparator.class",
+ "mapreduce.job.end-notification.custom-notifier-class",
+ "mapreduce.job.inputformat.class",
+ "mapreduce.job.map.class",
+ "mapreduce.job.map.output.collector.class",
+ "mapreduce.job.output.group.comparator.class",
+ "mapreduce.job.output.key.class",
+ "mapreduce.job.output.key.comparator.class",
+ "mapreduce.job.output.value.class",
+ "mapreduce.job.outputformat.class",
+ "mapreduce.job.partitioner.class",
+ "mapreduce.job.reduce.class",
+ "mapreduce.map.output.key.class",
+ "mapreduce.map.output.value.class"
+ };
+
+ /**
+ * MapReduce Task-Level Security Enforcement: Denied Tasks
+ *
Review Comment:
<img width="992" height="386" alt="image"
src="https://github.com/user-attachments/assets/4df10d95-7c03-4e1e-891a-1153adc5c97d";
/>
I dont think this is working for arrays, seems like only const supported
> MapReduce Task-Level Security Enforcement
> -----------------------------------------
>
> Key: MAPREDUCE-7523
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-7523
> Project: Hadoop Map/Reduce
> Issue Type: New Feature
> Components: mrv2
> Reporter: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> h2. Overview
> The goal of this feature to provide a configurable mechanism to control which
> users are allowed to execute specific MapReduce jobs.
> This feature aims to prevent unauthorized or potentially harmful
> mapper/reducer implementations from running within the Hadoop cluster.
> In the standard Hadoop MapReduce execution flow:
> 1) A MapReduce job is submitted by a user.
> 2) The job is registered with the Resource Manager (RM).
> 3) The RM assigns the job to a Node Manager (NM), where the Application
> Master (AM) for the job is launched.
> 4) The AM requests additional containers from the cluster, to be able to
> start tasks.
> 5) The NM launches those containers, and the containers execute the
> mapper/reducer tasks defined by the job.
> The proposed feature introduces a security filtering mechanism inside the
> Application Master.
> Before mapper or reducer tasks are launched, the AM will verify that the
> user-submitted MapReduce code complies with a cluster-defined security
> policy.
> This ensures that only approved classes or packages can be executed inside
> the containers.
> The goal is to protect the cluster from unwanted or unsafe task
> implementations, such as custom code that may introduce performance,
> stability, or security risks.
> Upon receiving job metadata, the Application Master will:
> 1) Check the feature is enabled.
> 2) Check the user who submitted the job is allowed to bypass the security
> check.
> 3) Compare classes in job config against the denied task list.
> 4) If job is not authorised an exception will be thrown and AM will fail.
> h2. New Configs
> h5. Enables MapReduce Task-Level Security Enforcement
> When enabled, the Application Master performs validation of user-submitted
> mapper, reducer, and other task-related classes before launching containers.
> This mechanism protects the cluster from running disallowed or unsafe task
> implementations as defined by administrator-controlled policies.
> - Property name: mapreduce.security.enabled
> - Property type: boolean
> - Default: false (security disabled)
> h5. MapReduce Task-Level Security Enforcement: Property Domain
> Defines the set of MapReduce configuration keys that represent user-supplied
> class names involved in task execution (e.g., mapper, reducer, partitioner).
> The Application Master examines the values of these properties and checks
> whether any referenced class is listed in denied tasks.
> Administrators may override this list to expand or restrict the validation
> domain.
> - Property name: mapreduce.security.property-domain
> - Property type: list of configuration keys
> - Default:
> * mapreduce.job.combine.class
> * mapreduce.job.combiner.group.comparator.class
> * mapreduce.job.end-notification.custom-notifier-class
> * mapreduce.job.inputformat.class
> * mapreduce.job.map.class
> * mapreduce.job.map.output.collector.class
> * mapreduce.job.output.group.comparator.class
> * mapreduce.job.output.key.class
> * mapreduce.job.output.key.comparator.class
> * mapreduce.job.output.value.class
> * mapreduce.job.outputformat.class
> * mapreduce.job.partitioner.class
> * mapreduce.job.reduce.class
> * mapreduce.map.output.key.class
> * mapreduce.map.output.value.class
> h5. MapReduce Task-Level Security Enforcement: Denied Tasks
> Specifies the list of disallowed task implementation classes or packages.
> If a user submits a job whose mapper, reducer, or other task-related classes
> match any entry in this blacklist.
> - Property name: mapreduce.security.denied-tasks
> - Property type: list of class name or package patterns
> - Default: empty
> - Example:
> org.apache.hadoop.streaming,org.apache.hadoop.examples.QuasiMonteCarlo
> h5. MapReduce Task-Level Security Enforcement: Allowed Users
> Specifies users who may bypass the blacklist defined in denied tasks.
> This whitelist is intended for trusted or system-level workflows that may
> legitimately require the use of restricted task implementations.
> If the submitting user is listed here, blacklist enforcement is skipped,
> although standard Hadoop authentication and ACL checks still apply.
> - Property name: mapreduce.security.allowed-users
> - Property type: list of usernames
> - Default: empty
> - Example: alice,bob
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
