Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-6922. COMMON part of MAPREDUCE-1664. Makes AccessControlList a writable and updates documentation for Job ACLs. Contributed by Ravi Gummadi. 

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@998001 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Vinod Kumar Vavilapalli 2010-09-17 07:25:57 +00:00
parent 1bc066c7d7
commit e9c1efd4cc
3 changed files with 46 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES.txt
View File

@ -131,6 +131,9 @@ Trunk (unreleased changes)
HADOOP-6950. Suggest that HADOOP_CLASSPATH should be preserved in HADOOP-6950. Suggest that HADOOP_CLASSPATH should be preserved in
hadoop-env.sh.template. (Philip Zeyliger via Eli Collins) hadoop-env.sh.template. (Philip Zeyliger via Eli Collins)
HADOOP-6922. Make AccessControlList a writable and update documentation
for Job ACLs. (Ravi Gummadi via vinodkv)
OPTIMIZATIONS OPTIMIZATIONS
HADOOP-6884. Add LOG.isDebugEnabled() guard for each LOG.debug(..). HADOOP-6884. Add LOG.isDebugEnabled() guard for each LOG.debug(..).

41
src/docs/src/documentation/content/xdocs/cluster_setup.xml
View File

@ -271,17 +271,25 @@
If necessary, use these files to control the list of allowable If necessary, use these files to control the list of allowable
TaskTrackers. TaskTrackers.
</td> </td>
</tr> </tr>
<tr> <tr>
<td>mapreduce.cluster.job-authorization-enabled</td> <td>mapreduce.cluster.acls.enabled</td>
<td>Boolean, specifying whether job ACLs are supported for <td>Boolean, specifying whether checks for queue ACLs and job ACLs
authorizing view and modification of a job</td> are to be done for authorizing users for doing queue operations and
<td> job operations.
If <em>true</em>, job ACLs would be checked while viewing or </td>
modifying a job. More details are available at <td>
<a href ="ext:mapred-tutorial/JobAuthorization">Job Authorization</a>. If <em>true</em>, queue ACLs are checked while submitting
</td> and administering jobs and job ACLs are checked for authorizing
</tr> view and modification of jobs. Queue ACLs are specified using the
configuration parameters of the form defined below under
mapred-queues.xml. Job ACLs are described at
mapred-tutorial in "Job Authorization" section.
For enabling this flag(mapreduce.cluster.acls.enabled), this is to be
set to true in mapred-site.xml on JobTracker node and on all
TaskTracker nodes.
</td>
</tr>
</table> </table>
@ -370,7 +378,7 @@
</p> </p>
<source> <source>
&lt;queues aclsEnabled="$aclsEnabled"&gt; &lt;queues&gt;
&lt;queue&gt; &lt;queue&gt;
&lt;name&gt;$queue-name&lt;/name&gt; &lt;name&gt;$queue-name&lt;/name&gt;
&lt;state&gt;$state&lt;/state&gt; &lt;state&gt;$state&lt;/state&gt;
@ -509,11 +517,12 @@
</tr> </tr>
<tr> <tr>
<td>acl-administer-job</td> <td>acl-administer-jobs</td>
<td>Child element of a <td>Child element of a
<a href="#queue_tag"><em>&lt;queue&gt;</em></a> specifying the <a href="#queue_tag"><em>&lt;queue&gt;</em></a> specifying the
list of users and groups that can change the priority of a job list of users and groups that can view job details, change the
or kill a job that has been submitted to the specified queue. priority of a job or kill a job that has been submitted to the
specified queue.
</td> </td>
<td>Yes</td> <td>Yes</td>
<td> <td>
@ -522,7 +531,7 @@
list of names. The two lists are separated by a blank. list of names. The two lists are separated by a blank.
Example: <em>user1,user2 group1,group2</em>. Example: <em>user1,user2 group1,group2</em>.
If you wish to define only a list of groups, provide If you wish to define only a list of groups, provide
a blank at the beginning of the value. Note that an a blank at the beginning of the value. Note that the
owner of a job can always change the priority or kill owner of a job can always change the priority or kill
his/her own job, irrespective of the ACLs. his/her own job, irrespective of the ACLs.
</td> </td>

20
src/java/org/apache/hadoop/security/authorize/AccessControlList.java
View File

@ -27,6 +27,8 @@ import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.io.Writable; import org.apache.hadoop.io.Writable;
import org.apache.hadoop.io.WritableFactories;
import org.apache.hadoop.io.WritableFactory;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
/** /**
@ -35,7 +37,15 @@ import org.apache.hadoop.security.UserGroupInformation;
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"}) @InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving @InterfaceStability.Evolving
public class AccessControlList implements Writable { public class AccessControlList implements Writable {
static { // register a ctor
WritableFactories.setFactory
(AccessControlList.class,
new WritableFactory() {
public Writable newInstance() { return new AccessControlList(); }
});
}
// Indicates an ACL string that represents access to all users // Indicates an ACL string that represents access to all users
public static final String WILDCARD_ACL_VALUE = "*"; public static final String WILDCARD_ACL_VALUE = "*";
private static final int INITIAL_CAPACITY = 256; private static final int INITIAL_CAPACITY = 256;
@ -46,7 +56,13 @@ public class AccessControlList implements Writable {
private Set<String> groups; private Set<String> groups;
// Whether all users are granted access. // Whether all users are granted access.
private boolean allAllowed; private boolean allAllowed;
/**
* This constructor exists primarily for AccessControlList to be Writable.
*/
public AccessControlList() {
}
/** /**
* Construct a new ACL from a String representation of the same. * Construct a new ACL from a String representation of the same.
* *