You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pig.apache.org by pr...@apache.org on 2014/05/29 19:55:19 UTC

svn commit: r1598347 - /pig/branches/branch-0.13/src/docs/src/documentation/content/xdocs/admin.xml

Author: prkommireddi
Date: Thu May 29 17:55:19 2014
New Revision: 1598347

URL: http://svn.apache.org/r1598347
Log:
PIG-3800: Documentation for Pig whitelist and blacklist features (prkommireddi)

Modified:
    pig/branches/branch-0.13/src/docs/src/documentation/content/xdocs/admin.xml

Modified: pig/branches/branch-0.13/src/docs/src/documentation/content/xdocs/admin.xml
URL: http://svn.apache.org/viewvc/pig/branches/branch-0.13/src/docs/src/documentation/content/xdocs/admin.xml?rev=1598347&r1=1598346&r2=1598347&view=diff
==============================================================================
--- pig/branches/branch-0.13/src/docs/src/documentation/content/xdocs/admin.xml (original)
+++ pig/branches/branch-0.13/src/docs/src/documentation/content/xdocs/admin.xml Thu May 29 17:55:19 2014
@@ -31,5 +31,24 @@
             <p>Specifically this makes sense for file-based output locations (HDFS, Local FS, S3..) to avoid Pig script from failing when multiple MR jobs write to the same location. </p>   
             <p>To enforce strict checking of output location, set <strong>pig.location.check.strict=true</strong>. See also <a href="start.html#properties">Pig Properties</a> on how to set this property.</p>
     </section>
-  </body>
-</document>
\ No newline at end of file
+
+<!-- DISABLE PIG COMMANDS AND OPERATORS -->
+    <section>
+       <title>Disabling Pig commands and operators</title>
+           <p>This is an admin feature providing ability to blacklist or/and whitelist certain commands and operations. Pig exposes a few of these that could be not very safe in a multitenant environment. For example, "sh" invokes shell commands, "set" allows users to change non-final configs. While these are tremendously useful in general, having an ability to disable would make Pig a safer platform. The goal is to allow administrators to be able to have more control over user scripts. Default behaviour would still be the same - no filters applied on commands and operators.</p>
+           <p>There are two properties you can use to control what users are able to do</p>
+               <ul>
+                  <li>pig.blacklist</li>
+                  <li>pig.whitelist</li>
+               </ul>
+           <h4>Blacklisting</h4>
+             <p>Set "pig.blacklist" to a comma-delimited set of operators and commands. For eg, <i>pig.blacklist=rm,kill,cross</i> would disable users from executing any of "rm", "kill" commands and "cross" operator.</p>
+
+           <h4>Whitelisting</h4>
+             <p>This is an even safer approach to disallowing functionality in Pig. Using this you will be able to disable all commands and operators that are not a part of the whitelist. For eg, <i>pig.whitelist=load,filter,store</i> will disallow every command and operator other than "load", "filter" and "store". </p>
+             <h4>Note</h4>
+               <p>There should not be any conflicts between blacklist and whitelist. Make sure to have them entirely distinct or Pig will complain.</p>
+    </section>
+
+</body>
+</document>