From e9c1efd4cccab19048653280afcbcc946548b557 Mon Sep 17 00:00:00 2001 From: Vinod Kumar Vavilapalli Date: Fri, 17 Sep 2010 07:25:57 +0000 Subject: [PATCH] HADOOP-6922. COMMON part of MAPREDUCE-1664. Makes AccessControlList a writable and updates documentation for Job ACLs. Contributed by Ravi Gummadi. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@998001 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES.txt | 3 ++ .../content/xdocs/cluster_setup.xml | 41 +++++++++++-------- .../security/authorize/AccessControlList.java | 20 ++++++++- 3 files changed, 46 insertions(+), 18 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index e543dc27e77..75c87c81035 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -131,6 +131,9 @@ Trunk (unreleased changes) HADOOP-6950. Suggest that HADOOP_CLASSPATH should be preserved in hadoop-env.sh.template. (Philip Zeyliger via Eli Collins) + HADOOP-6922. Make AccessControlList a writable and update documentation + for Job ACLs. (Ravi Gummadi via vinodkv) + OPTIMIZATIONS HADOOP-6884. Add LOG.isDebugEnabled() guard for each LOG.debug(..). diff --git a/src/docs/src/documentation/content/xdocs/cluster_setup.xml b/src/docs/src/documentation/content/xdocs/cluster_setup.xml index e2dbc6485fc..8bdec1fca68 100644 --- a/src/docs/src/documentation/content/xdocs/cluster_setup.xml +++ b/src/docs/src/documentation/content/xdocs/cluster_setup.xml @@ -271,17 +271,25 @@ If necessary, use these files to control the list of allowable TaskTrackers. - - - mapreduce.cluster.job-authorization-enabled - Boolean, specifying whether job ACLs are supported for - authorizing view and modification of a job - - If true, job ACLs would be checked while viewing or - modifying a job. More details are available at - Job Authorization. - - + + + mapreduce.cluster.acls.enabled + Boolean, specifying whether checks for queue ACLs and job ACLs + are to be done for authorizing users for doing queue operations and + job operations. + + + If true, queue ACLs are checked while submitting + and administering jobs and job ACLs are checked for authorizing + view and modification of jobs. Queue ACLs are specified using the + configuration parameters of the form defined below under + mapred-queues.xml. Job ACLs are described at + mapred-tutorial in "Job Authorization" section. + For enabling this flag(mapreduce.cluster.acls.enabled), this is to be + set to true in mapred-site.xml on JobTracker node and on all + TaskTracker nodes. + + @@ -370,7 +378,7 @@

- <queues aclsEnabled="$aclsEnabled"> + <queues> <queue> <name>$queue-name</name> <state>$state</state> @@ -509,11 +517,12 @@ - acl-administer-job + acl-administer-jobs Child element of a <queue> specifying the - list of users and groups that can change the priority of a job - or kill a job that has been submitted to the specified queue. + list of users and groups that can view job details, change the + priority of a job or kill a job that has been submitted to the + specified queue. Yes @@ -522,7 +531,7 @@ list of names. The two lists are separated by a blank. Example: user1,user2 group1,group2. If you wish to define only a list of groups, provide - a blank at the beginning of the value. Note that an + a blank at the beginning of the value. Note that the owner of a job can always change the priority or kill his/her own job, irrespective of the ACLs. diff --git a/src/java/org/apache/hadoop/security/authorize/AccessControlList.java b/src/java/org/apache/hadoop/security/authorize/AccessControlList.java index e8e0767faae..b847b174037 100644 --- a/src/java/org/apache/hadoop/security/authorize/AccessControlList.java +++ b/src/java/org/apache/hadoop/security/authorize/AccessControlList.java @@ -27,6 +27,8 @@ import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Writable; +import org.apache.hadoop.io.WritableFactories; +import org.apache.hadoop.io.WritableFactory; import org.apache.hadoop.security.UserGroupInformation; /** @@ -35,7 +37,15 @@ import org.apache.hadoop.security.UserGroupInformation; @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) @InterfaceStability.Evolving public class AccessControlList implements Writable { - + + static { // register a ctor + WritableFactories.setFactory + (AccessControlList.class, + new WritableFactory() { + public Writable newInstance() { return new AccessControlList(); } + }); + } + // Indicates an ACL string that represents access to all users public static final String WILDCARD_ACL_VALUE = "*"; private static final int INITIAL_CAPACITY = 256; @@ -46,7 +56,13 @@ public class AccessControlList implements Writable { private Set groups; // Whether all users are granted access. private boolean allAllowed; - + + /** + * This constructor exists primarily for AccessControlList to be Writable. + */ + public AccessControlList() { + } + /** * Construct a new ACL from a String representation of the same. *