You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:04:19 UTC

svn commit: r1077332 - in /hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs: cluster_setup.xml mapred_tutorial.xml

Author: omalley
Date: Fri Mar  4 04:04:19 2011
New Revision: 1077332

URL: http://svn.apache.org/viewvc?rev=1077332&view=rev
Log:
commit 8880f282ffbf15933566febfb62d26f9dbe8e213
Author: Hemanth Yamijala <yh...@yahoo-inc.com>
Date:   Thu Mar 18 12:05:01 2010 +0530

    MAPREDUCE:1604 from https://issues.apache.org/jira/secure/attachment/12439114/patch-1604-ydist.txt
    
    +++ b/YAHOO-CHANGES.txt
    +    MAPREDUCE-1604. Update Forrest documentation for job authorization
    +    ACLs. (Amareshwari Sriramadasu via yhemanth)
    +

Modified:
    hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml
    hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml

Modified: hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml?rev=1077332&r1=1077331&r2=1077332&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/cluster_setup.xml Fri Mar  4 04:04:19 2011
@@ -294,15 +294,26 @@
         </tr>
         <tr>
           <td>mapred.acls.enabled</td>
-          <td>Specifies whether ACLs are supported for controlling job
-              submission and administration</td>
+          <td>Boolean, specifying whether queue ACLs are supported for 
+              authorizing job submission and job administration in a 
+              queue</td>
           <td>
-            If <em>true</em>, ACLs would be checked while submitting
+            If <em>true</em>, queue ACLs would be checked while submitting
             and administering jobs. ACLs can be specified using the
             configuration parameters of the form
             <em>mapred.queue.queue-name.acl-name</em>, defined below.
           </td>
         </tr>
+        <tr>
+          <td>mapreduce.cluster.job-authorization-enabled</td>
+          <td>Boolean, specifying whether job ACLs are supported for 
+              authorizing view and modification of a job</td>
+          <td>
+            If <em>true</em>, job ACLs would be checked while viewing or
+            modifying a job. More details are available at 
+            <a href ="mapred_tutorial.html#Job+Authorization">Job Authorization</a>. 
+          </td>
+        </tr>
 		  </table>
       
       <p><br/><code> conf/mapred-queue-acls.xml</code></p>
@@ -599,7 +610,7 @@
             <p>
             The LinuxTaskController requires that paths including and leading up
             to the directories specified in
-            <em>mapreduce.cluster.local.dir</em> and <em>hadoop.log.dir</em> to
+            <em>mapred.local.dir</em> and <em>hadoop.log.dir</em> to
             be set 755 permissions.
             </p>
             

Modified: hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml?rev=1077332&r1=1077331&r2=1077332&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/docs/src/documentation/content/xdocs/mapred_tutorial.xml Fri Mar  4 04:04:19 2011
@@ -1486,6 +1486,60 @@
         <p>Normally the user creates the application, describes various facets 
         of the job via <code>JobConf</code>, and then uses the 
         <code>JobClient</code> to submit the job and monitor its progress.</p>
+        
+        <section>
+          <title>Job Authorization</title>
+          <p>Job level authorization is enabled on the cluster, if the configuration
+          <code>mapreduce.cluster.job-authorization-enabled</code> is set to
+          true. When enabled, access control checks are done by the JobTracker
+          and the TaskTracker before allowing users to view
+          job details or to modify a job using Map/Reduce APIs,
+          CLI or web user interfaces.</p>
+          
+          <p>A job submitter can specify access control lists for viewing or
+          modifying a job via the configuration properties
+          <code>mapreduce.job.acl-view-job</code> and
+          <code>mapreduce.job.acl-modify-job</code> respectively. By default, 
+          nobody is given access in these properties.</p> 
+          
+          <p>However, irrespective of the ACLs configured, a job's owner,
+          the superuser and the members of an admin configured supergroup
+          (<code>mapred.permissions.supergroup</code>) always have access to
+          view and modify a job.</p>
+          
+          <p> A job view ACL authorizes users against the configured 
+          <code>mapreduce.job.acl-view-job</code> before returning possibly 
+          sensitive information about a job, like: </p>
+          <ul>
+            <li> job level counters </li>
+            <li> task level counters </li>
+            <li> tasks's diagnostic information </li>
+            <li> task logs displayed on the TaskTracker web UI </li>
+            <li> job.xml showed by the JobTracker's web UI </li>
+          </ul>
+          <p>Other information about a job, like its status and its profile, 
+          is accessible to all users, without requiring authorization.</p>
+          
+          <p> A job modification ACL authorizes users against the configured
+          <code>mapreduce.job.acl-modify-job</code> before allowing
+          modifications to jobs, like: </p>
+          <ul>
+            <li> killing a job </li>
+            <li> killing/failing a task of a job </li>
+            <li> setting the priority of a job </li>
+          </ul>
+          <p>These operations are also protected by the queue level ACL,
+          "acl-administer-jobs", configured via mapred-queue-acls.xml. The caller
+          will be authorized against both queue level ACLs and job level ACLs,
+          depending on what is enabled.</p>
+          
+          <p>The format of a job level ACL is the same as the format for a
+          queue level ACL as defined in the
+          <a href ="cluster_setup.html#Configuring+the+Hadoop+Daemons">
+          Cluster Setup</a> documentation.
+          </p>
+          
+        </section>
 
         <section>
           <title>Job Control</title>