You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sqoop.apache.org by "Jarek Jarcec Cecho (JIRA)" <ji...@apache.org> on 2016/10/05 17:39:20 UTC
[jira] [Commented] (SQOOP-3018) Hadoop MapReduce job submission be
done in client user UGI?
[ https://issues.apache.org/jira/browse/SQOOP-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549455#comment-15549455 ]
Jarek Jarcec Cecho commented on SQOOP-3018:
-------------------------------------------
If my memory serves me well, we did not want to impersonate the whole job as that would expose information that should be exposed. E.g. if malicious user that doesn't have credentials to given database - but have a privilege to use them in Sqoop 2 server through link object, he could potentially attach debugger to the impersonated process and get the credentials. Not impersonating the whole job, means that there is no such attack vector.
I'm however not sure if that is still applicable to the current code base or not.
> Hadoop MapReduce job submission be done in client user UGI?
> -----------------------------------------------------------
>
> Key: SQOOP-3018
> URL: https://issues.apache.org/jira/browse/SQOOP-3018
> Project: Sqoop
> Issue Type: New Feature
> Components: connectors/hdfs
> Affects Versions: 1.99.7
> Reporter: Yan Braun
>
> Hdfs Connector read and write to HDFS in client user UGI when proxyUser is enabled. But MapReduce job submission is done using Sqoop user UGI, which makes all jobs from different users run in Sqoop user's hadoop queue instead of client users' own queue.
> This is a follow-up JIRA after our discussions with Abraham Fine on whether this will be on sqoop2 road map in the near future. Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)