sqoop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SQOOP-3018) Hadoop MapReduce job submission be done in client user UGI?
Date Fri, 14 Oct 2016 18:30:21 GMT

    [ https://issues.apache.org/jira/browse/SQOOP-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15576119#comment-15576119
] 

Daryn Sharp commented on SQOOP-3018:
------------------------------------

Not impersonating the entire job is security concern.  Allowing the user to alter the classpath
and/or provide custom job code that will run as a privileged user isn't a concern, it's a
giant security hole.  Trying to prevent me from attaching a debugger to get access to credentials
(which should be mine?) isn't a concern when I can hack the job from the inside.

The real use case is no job can be trusted to run as a privileged user that selectively impersonates
normal users.  Jobs must run as non-priviledged users.

> Hadoop MapReduce job submission be done in client user UGI?
> -----------------------------------------------------------
>
>                 Key: SQOOP-3018
>                 URL: https://issues.apache.org/jira/browse/SQOOP-3018
>             Project: Sqoop
>          Issue Type: New Feature
>          Components: connectors/hdfs
>    Affects Versions: 1.99.7
>            Reporter: Yan Braun
>         Attachments: SQOOP-3018.patch
>
>
> Hdfs Connector read and write to HDFS in client user UGI when proxyUser is enabled. 
But MapReduce job submission is done using Sqoop user UGI, which makes all jobs from different
users run in Sqoop user's hadoop queue  instead of client users' own queue.   
> This is a follow-up JIRA after our discussions with Abraham Fine on whether this will
be on sqoop2 road map in the near future.  Thanks.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message