MAPREDUCE-7537. Add mapreduce.security.allowed-groups bypass for task…#8492
Open
riya2305 wants to merge 1 commit into
Open
MAPREDUCE-7537. Add mapreduce.security.allowed-groups bypass for task…#8492riya2305 wants to merge 1 commit into
riya2305 wants to merge 1 commit into
Conversation
|
🎊 +1 overall
This message was automatically generated. |
There was a problem hiding this comment.
Pull request overview
This PR extends MapReduce task-level security enforcement (introduced in MAPREDUCE-7523) by adding a group-based bypass for the deny list, analogous to the existing per-user bypass.
Changes:
- Added new configuration key
mapreduce.security.allowed-groups(documented in defaults) to allow submitters in specific groups to bypassmapreduce.security.denied-tasks. - Introduced
MRConfig.SECURITY_ALLOWED_GROUPS/DEFAULT_SECURITY_ALLOWED_GROUPSconstants. - Updated
TaskLevelSecurityEnforcerand added unit tests validating allowed/denied group behavior.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/resources/mapred-default.xml | Documents new mapreduce.security.allowed-groups default property and behavior. |
| hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/MRConfig.java | Adds constants/defaults for the new allowed-groups configuration key. |
| hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/main/java/org/apache/hadoop/mapreduce/v2/app/security/authorize/TaskLevelSecurityEnforcer.java | Implements allowed-groups bypass by resolving submitter groups via UserGroupInformation.getGroupsSet(). |
| hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app/src/test/java/org/apache/hadoop/mapreduce/v2/app/security/authorize/TestTaskLevelSecurityEnforcer.java | Adds coverage for allowed/denied group bypass scenarios. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+98
to
+107
| String[] allowedGroupNames = conf.getTrimmedStrings( | ||
| MRConfig.SECURITY_ALLOWED_GROUPS, | ||
| MRConfig.DEFAULT_SECURITY_ALLOWED_GROUPS); | ||
| if (allowedGroupNames.length > 0) { | ||
| UserGroupInformation submitterUgi = | ||
| UserGroupInformation.createRemoteUser(currentUserName); | ||
| if (isUserInAllowedGroups(submitterUgi, allowedGroupNames)) { | ||
| LOG.debug("The {} is allowed to execute every task via allowed-groups", | ||
| currentUserName); | ||
| return; |
Contributor
There was a problem hiding this comment.
AFAIK the mapreduce.job.user.name is always set
Comment on lines
+150
to
+171
| @Test | ||
| public void testAllowedGroup() { | ||
| UserGroupInformation.createUserForTesting("alice", | ||
| new String[] {"hadoop"}); | ||
| JobConf conf = jobConfForSubmitUser("alice"); | ||
| conf.setBoolean(MRConfig.MAPREDUCE_TASK_SECURITY_ENABLED, true); | ||
| conf.setStrings(MRConfig.SECURITY_DENIED_TASKS, "org.apache.hadoop.streaming"); | ||
| conf.setStrings(MRConfig.SECURITY_ALLOWED_GROUPS, "hadoop"); | ||
| conf.set(MRJobConfig.MAP_CLASS_ATTR, "org.apache.hadoop.streaming.PipeMapper"); | ||
| assertPass(conf); | ||
| } | ||
|
|
||
| @Test | ||
| public void testDeniedGroup() { | ||
| UserGroupInformation.createUserForTesting("bob", | ||
| new String[] {"other"}); | ||
| JobConf conf = jobConfForSubmitUser("bob"); | ||
| conf.setBoolean(MRConfig.MAPREDUCE_TASK_SECURITY_ENABLED, true); | ||
| conf.setStrings(MRConfig.SECURITY_DENIED_TASKS, "org.apache.hadoop.streaming"); | ||
| conf.setStrings(MRConfig.SECURITY_ALLOWED_GROUPS, "hadoop"); | ||
| conf.set(MRJobConfig.MAP_CLASS_ATTR, "org.apache.hadoop.streaming.PipeMapper"); | ||
| assertDenied(conf); |
Contributor
There was a problem hiding this comment.
AFAIK the mapreduce.job.user.name is always set
K0K0V0K
reviewed
May 19, 2026
Comment on lines
+98
to
+107
| String[] allowedGroupNames = conf.getTrimmedStrings( | ||
| MRConfig.SECURITY_ALLOWED_GROUPS, | ||
| MRConfig.DEFAULT_SECURITY_ALLOWED_GROUPS); | ||
| if (allowedGroupNames.length > 0) { | ||
| UserGroupInformation submitterUgi = | ||
| UserGroupInformation.createRemoteUser(currentUserName); | ||
| if (isUserInAllowedGroups(submitterUgi, allowedGroupNames)) { | ||
| LOG.debug("The {} is allowed to execute every task via allowed-groups", | ||
| currentUserName); | ||
| return; |
Contributor
There was a problem hiding this comment.
AFAIK the mapreduce.job.user.name is always set
Comment on lines
+150
to
+171
| @Test | ||
| public void testAllowedGroup() { | ||
| UserGroupInformation.createUserForTesting("alice", | ||
| new String[] {"hadoop"}); | ||
| JobConf conf = jobConfForSubmitUser("alice"); | ||
| conf.setBoolean(MRConfig.MAPREDUCE_TASK_SECURITY_ENABLED, true); | ||
| conf.setStrings(MRConfig.SECURITY_DENIED_TASKS, "org.apache.hadoop.streaming"); | ||
| conf.setStrings(MRConfig.SECURITY_ALLOWED_GROUPS, "hadoop"); | ||
| conf.set(MRJobConfig.MAP_CLASS_ATTR, "org.apache.hadoop.streaming.PipeMapper"); | ||
| assertPass(conf); | ||
| } | ||
|
|
||
| @Test | ||
| public void testDeniedGroup() { | ||
| UserGroupInformation.createUserForTesting("bob", | ||
| new String[] {"other"}); | ||
| JobConf conf = jobConfForSubmitUser("bob"); | ||
| conf.setBoolean(MRConfig.MAPREDUCE_TASK_SECURITY_ENABLED, true); | ||
| conf.setStrings(MRConfig.SECURITY_DENIED_TASKS, "org.apache.hadoop.streaming"); | ||
| conf.setStrings(MRConfig.SECURITY_ALLOWED_GROUPS, "hadoop"); | ||
| conf.set(MRJobConfig.MAP_CLASS_ATTR, "org.apache.hadoop.streaming.PipeMapper"); | ||
| assertDenied(conf); |
Contributor
There was a problem hiding this comment.
AFAIK the mapreduce.job.user.name is always set
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…-level security.
Description of PR
MAPREDUCE-7523 introduced mapreduce.security.denied-tasks: a single, global list of disallowed class name prefixes applied to values of keys listed in mapreduce.security.property-domain. By default the policy is not per-user or per-group—the same rules apply to every submitter until an exception is configured. mapreduce.security.allowed-users already provides a per-user bypass of that deny list.
This work adds mapreduce.security.allowed-groups: a per-group bypass using the submitter’s resolved group names from the cluster’s Hadoop group mapping (UserGroupInformation.getGroupsSet() for that user).
For code changes:
LICENSE,LICENSE-binary,NOTICE-binaryfiles?AI Tooling
If an AI tool was used:
where is the name of the AI tool used.
https://www.apache.org/legal/generative-tooling.html