sqoop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Jarcec Cecho (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SQOOP-3018) Hadoop MapReduce job submission be done in client user UGI?
Date Wed, 05 Oct 2016 17:39:20 GMT

    [ https://issues.apache.org/jira/browse/SQOOP-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549455#comment-15549455
] 

Jarek Jarcec Cecho commented on SQOOP-3018:
-------------------------------------------

If my memory serves me well, we did not want to impersonate the whole job as that would expose
information that should be exposed. E.g. if malicious user that doesn't have credentials to
given database - but have a privilege to use them in Sqoop 2 server through link object, he
could potentially attach debugger to the impersonated process and get the credentials. Not
impersonating the whole job, means that there is no such attack vector.

I'm however not sure if that is still applicable to the current code base or not.

> Hadoop MapReduce job submission be done in client user UGI?
> -----------------------------------------------------------
>
>                 Key: SQOOP-3018
>                 URL: https://issues.apache.org/jira/browse/SQOOP-3018
>             Project: Sqoop
>          Issue Type: New Feature
>          Components: connectors/hdfs
>    Affects Versions: 1.99.7
>            Reporter: Yan Braun
>
> Hdfs Connector read and write to HDFS in client user UGI when proxyUser is enabled. 
But MapReduce job submission is done using Sqoop user UGI, which makes all jobs from different
users run in Sqoop user's hadoop queue  instead of client users' own queue.   
> This is a follow-up JIRA after our discussions with Abraham Fine on whether this will
be on sqoop2 road map in the near future.  Thanks.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message