[
https://issues.apache.org/jira/browse/MAPREDUCE-7523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18068606#comment-18068606
]
ASF GitHub Bot commented on MAPREDUCE-7523:
-------------------------------------------
steveloughran commented on code in PR #8378:
URL: https://github.com/apache/hadoop/pull/8378#discussion_r2994203887
##########
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRConfig.java:
##########
@@ -133,5 +133,94 @@ public interface MRConfig {
boolean DEFAULT_MASTER_WEBAPP_UI_ACTIONS_ENABLED = true;
String MULTIPLE_OUTPUTS_CLOSE_THREAD_COUNT =
"mapreduce.multiple-outputs-close-threads";
int DEFAULT_MULTIPLE_OUTPUTS_CLOSE_THREAD_COUNT = 10;
+
+ /**
+ * Enables MapReduce Task-Level Security Enforcement.
+ * <p>
+ * When enabled, the Application Master performs validation of user-submitted
+ * mapper, reducer, and other task-related classes before launching
containers.
+ * This mechanism protects the cluster from running disallowed or unsafe task
+ * implementations as defined by administrator-controlled policies.
+ * </p>
+ * Property type: boolean
+ * Default: {@value #DEFAULT_SECURITY_ENABLED}
+ * Value: {@value}
+ */
+ String SECURITY_ENABLED = "mapreduce.security.enabled";
Review Comment:
call this `mapreduce.task.security.enabled` with matching change in the
constant name. We need a clear distinction from UGI.isSecurityEnabled()
##########
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/security/authorize/TaskLevelSecurityEnforcer.java:
##########
@@ -63,22 +65,27 @@ private TaskLevelSecurityEnforcer() {
* <li>If a match is found, reject the job by throwing {@link
TaskLevelSecurityException}.</li>
* </ol>
*
- * @param conf the job configuration to validate
+ * @param conf the job configuration to validate
+ * @param currentUser the user who running the AM container
* @throws TaskLevelSecurityException if the user is not authorized to use
one of the task classes
*/
- public static void validate(JobConf conf) throws TaskLevelSecurityException {
+ public static void validate(JobConf conf, UserGroupInformation currentUser)
throws TaskLevelSecurityException {
if (!conf.getBoolean(MRConfig.SECURITY_ENABLED,
MRConfig.DEFAULT_SECURITY_ENABLED)) {
LOG.debug("The {} is disabled", MRConfig.SECURITY_ENABLED);
return;
}
- String currentUser = conf.get(MRJobConfig.USER_NAME).trim();
+ String currentUserName = UserGroupInformation.isSecurityEnabled()
+ ? currentUser.getShortUserName()
+ : StringUtils.trim(conf.get(MRJobConfig.USER_NAME));
Review Comment:
use `Configuration.getTrimmed()`. This handles the case of a missing option
by returning null. I don't see that case arising given how the option is set,
and if the code does have a failure path it's only going to happen if kerberos
is disabled and task level security enabled, which is an unlikely setup
> MapReduce Task-Level Security Enforcement
> -----------------------------------------
>
> Key: MAPREDUCE-7523
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-7523
> Project: Hadoop Map/Reduce
> Issue Type: New Feature
> Components: mrv2
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> h2. Overview
> The goal of this feature to provide a configurable mechanism to control which
> users are allowed to execute specific MapReduce jobs.
> This feature aims to prevent unauthorized or potentially harmful
> mapper/reducer implementations from running within the Hadoop cluster.
> In the standard Hadoop MapReduce execution flow:
> 1) A MapReduce job is submitted by a user.
> 2) The job is registered with the Resource Manager (RM).
> 3) The RM assigns the job to a Node Manager (NM), where the Application
> Master (AM) for the job is launched.
> 4) The AM requests additional containers from the cluster, to be able to
> start tasks.
> 5) The NM launches those containers, and the containers execute the
> mapper/reducer tasks defined by the job.
> The proposed feature introduces a security filtering mechanism inside the
> Application Master.
> Before mapper or reducer tasks are launched, the AM will verify that the
> user-submitted MapReduce code complies with a cluster-defined security
> policy.
> This ensures that only approved classes or packages can be executed inside
> the containers.
> The goal is to protect the cluster from unwanted or unsafe task
> implementations, such as custom code that may introduce performance,
> stability, or security risks.
> Upon receiving job metadata, the Application Master will:
> 1) Check the feature is enabled.
> 2) Check the user who submitted the job is allowed to bypass the security
> check.
> 3) Compare classes in job config against the denied task list.
> 4) If job is not authorised an exception will be thrown and AM will fail.
> h2. New Configs
> h5. Enables MapReduce Task-Level Security Enforcement
> When enabled, the Application Master performs validation of user-submitted
> mapper, reducer, and other task-related classes before launching containers.
> This mechanism protects the cluster from running disallowed or unsafe task
> implementations as defined by administrator-controlled policies.
> - Property name: mapreduce.security.enabled
> - Property type: boolean
> - Default: false (security disabled)
> h5. MapReduce Task-Level Security Enforcement: Property Domain
> Defines the set of MapReduce configuration keys that represent user-supplied
> class names involved in task execution (e.g., mapper, reducer, partitioner).
> The Application Master examines the values of these properties and checks
> whether any referenced class is listed in denied tasks.
> Administrators may override this list to expand or restrict the validation
> domain.
> - Property name: mapreduce.security.property-domain
> - Property type: list of configuration keys
> - Default:
> * mapreduce.job.combine.class
> * mapreduce.job.combiner.group.comparator.class
> * mapreduce.job.end-notification.custom-notifier-class
> * mapreduce.job.inputformat.class
> * mapreduce.job.map.class
> * mapreduce.job.map.output.collector.class
> * mapreduce.job.output.group.comparator.class
> * mapreduce.job.output.key.class
> * mapreduce.job.output.key.comparator.class
> * mapreduce.job.output.value.class
> * mapreduce.job.outputformat.class
> * mapreduce.job.partitioner.class
> * mapreduce.job.reduce.class
> * mapreduce.map.output.key.class
> * mapreduce.map.output.value.class
> h5. MapReduce Task-Level Security Enforcement: Denied Tasks
> Specifies the list of disallowed task implementation classes or packages.
> If a user submits a job whose mapper, reducer, or other task-related classes
> match any entry in this blacklist.
> - Property name: mapreduce.security.denied-tasks
> - Property type: list of class name or package patterns
> - Default: empty
> - Example:
> org.apache.hadoop.streaming,org.apache.hadoop.examples.QuasiMonteCarlo
> h5. MapReduce Task-Level Security Enforcement: Allowed Users
> Specifies users who may bypass the blacklist defined in denied tasks.
> This whitelist is intended for trusted or system-level workflows that may
> legitimately require the use of restricted task implementations.
> If the submitting user is listed here, blacklist enforcement is skipped,
> although standard Hadoop authentication and ACL checks still apply.
> - Property name: mapreduce.security.allowed-users
> - Property type: list of usernames
> - Default: empty
> - Example: alice,bob
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
