MAPREDUCE-7523. MapReduce Task-Level Security Enforcement #8100

K0K0V0K · 2025-11-22T15:50:19Z

Description of PR

The goal of this feature tp provide a configurable mechanism to control which users are allowed to execute specific MapReduce jobs. This feature aims to prevent unauthorized or potentially harmful mapper/reducer implementations from running within the Hadoop cluster.

In the standard Hadoop MapReduce execution flow:

A MapReduce job is submitted by a user.
The job is registered with the Resource Manager (RM).
The RM assigns the job to a Node Manager (NM), where the Application Master (AM) for the job is launched.
The AM requests additional containers from the cluster, to be able to start tasks.
The NM launches those containers, and the containers execute the mapper/reducer tasks defined by the job.

The proposed feature introduces a security filtering mechanism inside the Application Master. Before mapper or reducer tasks are launched, the AM will verify that the user-submitted MapReduce code complies with a cluster-defined security policy. This ensures that only approved classes or packages can be executed inside the containers. The goal is to protect the cluster from unwanted or unsafe task implementations, such as custom code that may introduce performance, stability, or security risks.

Upon receiving job metadata, the Application Master will:

Check the feature is enabled.
Check the user who submitted the job is allowed to bypass the security check.
Compare classes in job config against the denied task list.
If job is not authorised an exception will be thrown and AM will fail.

New Configs

Enables MapReduce Task-Level Security Enforcement
When enabled, the Application Master performs validation of user-submitted mapper, reducer, and other task-related classes before launching containers. This mechanism protects the cluster from running disallowed or unsafe task implementations as defined by administrator-controlled policies.

Property name: mapreduce.security.enabled
Property type: boolean
Default: false (security disabled)

MapReduce Task-Level Security Enforcement: Property Domain
Defines the set of MapReduce configuration keys that represent user-supplied class names involved in task execution (e.g., mapper, reducer, partitioner). The Application Master examines the values of these properties and checks whether any referenced class is listed in denied tasks. Administrators may override this list to expand or restrict the validation domain.

Property name: mapreduce.security.property-domain
Property type: list of configuration keys
Default:
mapreduce.job.combine.class
mapreduce.job.combiner.group.comparator.class
mapreduce.job.end-notification.custom-notifier-class
mapreduce.job.inputformat.class
mapreduce.job.map.class
mapreduce.job.map.output.collector.class
mapreduce.job.output.group.comparator.class
mapreduce.job.output.key.class
mapreduce.job.output.key.comparator.class
mapreduce.job.output.value.class
mapreduce.job.outputformat.class
mapreduce.job.partitioner.class
mapreduce.job.reduce.class
mapreduce.map.output.key.class
mapreduce.map.output.value.class

MapReduce Task-Level Security Enforcement: Denied Tasks
Specifies the list of disallowed task implementation classes or packages. If a user submits a job whose mapper, reducer, or other task-related classes match any entry in this blacklist.

Property name: mapreduce.security.denied-tasks
Property type: list of class name or package patterns
Default: empty
Example: org.apache.hadoop.streaming,org.apache.hadoop.examples.QuasiMonteCarlo

MapReduce Task-Level Security Enforcement: Allowed Users
Specifies users who may bypass the blacklist defined in denied tasks. This whitelist is intended for trusted or system-level workflows that may legitimately require the use of restricted task implementations. If the submitting user is listed here, blacklist enforcement is skipped, although standard Hadoop authentication and ACL checks still apply.

Property name: mapreduce.security.allowed-users
Property type: list of usernames
Default: empty
Example: alice,bob

How was this patch tested?

UT was run

For code changes:

Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

The goal of this feature tp provide a configurable mechanism to control which users are allowed to execute specific MapReduce jobs. This feature aims to prevent unauthorized or potentially harmful mapper/reducer implementations from running within the Hadoop cluster. In the standard Hadoop MapReduce execution flow: 1) A MapReduce job is submitted by a user. 2) The job is registered with the Resource Manager (RM). 3) The RM assigns the job to a Node Manager (NM), where the Application Master (AM) for the job is launched. 4) The AM requests additional containers from the cluster, to be able to start tasks. 5) The NM launches those containers, and the containers execute the mapper/reducer tasks defined by the job. The proposed feature introduces a security filtering mechanism inside the Application Master. Before mapper or reducer tasks are launched, the AM will verify that the user-submitted MapReduce code complies with a cluster-defined security policy. This ensures that only approved classes or packages can be executed inside the containers. The goal is to protect the cluster from unwanted or unsafe task implementations, such as custom code that may introduce performance, stability, or security risks. Upon receiving job metadata, the Application Master will: 1) Check the feature is enabled. 2) Check the user who submitted the job is allowed to bypass the security check. 3) Compare classes in job config against the denied task list. 4) If job is not authorised an exception will be thrown and AM will fail. New Configs Enables MapReduce Task-Level Security Enforcement When enabled, the Application Master performs validation of user-submitted mapper, reducer, and other task-related classes before launching containers. This mechanism protects the cluster from running disallowed or unsafe task implementations as defined by administrator-controlled policies. - Property name: mapreduce.security.enabled - Property type: boolean - Default: false (security disabled) MapReduce Task-Level Security Enforcement: Property Domain Defines the set of MapReduce configuration keys that represent user-supplied class names involved in task execution (e.g., mapper, reducer, partitioner). The Application Master examines the values of these properties and checks whether any referenced class is listed in denied tasks. Administrators may override this list to expand or restrict the validation domain. - Property name: mapreduce.security.property-domain - Property type: list of configuration keys - Default: map.sort.class mapreduce.job.classloader.system.classes mapreduce.job.combine.class mapreduce.job.combiner.group.comparator.class mapreduce.job.end-notification.custom-notifier-class mapreduce.job.inputformat.class mapreduce.job.map.class mapreduce.job.map.output.collector.class mapreduce.job.output.group.comparator.class mapreduce.job.output.key.class mapreduce.job.output.key.comparator.class mapreduce.job.output.value.class mapreduce.job.outputformat.class mapreduce.job.partitioner.class mapreduce.job.reduce.class mapreduce.map.output.key.class mapreduce.map.output.value.class MapReduce Task-Level Security Enforcement: Denied Tasks Specifies the list of disallowed task implementation classes or packages. If a user submits a job whose mapper, reducer, or other task-related classes match any entry in this blacklist. - Property name: mapreduce.security.denied-tasks - Property type: list of class name or package patterns - Default: empty - Example: org.apache.hadoop.streaming,org.apache.hadoop.examples.QuasiMonteCarlo MapReduce Task-Level Security Enforcement: Allowed Users Specifies users who may bypass the blacklist defined in denied tasks. This whitelist is intended for trusted or system-level workflows that may legitimately require the use of restricted task implementations. If the submitting user is listed here, blacklist enforcement is skipped, although standard Hadoop authentication and ACL checks still apply. - Property name: mapreduce.security.allowed-users - Property type: list of usernames - Default: empty - Example: alice,bob

hadoop-yetus · 2025-11-22T17:52:09Z

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 46s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 1s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	markdownlint	0m 0s		markdownlint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	7m 27s		Maven dependency ordering for branch
+1 💚	mvninstall	15m 20s		trunk passed
+1 💚	compile	8m 47s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	compile	8m 47s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	checkstyle	1m 25s		trunk passed
+1 💚	mvnsite	1m 22s		trunk passed
+1 💚	javadoc	1m 17s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	1m 6s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+0 🆗	spotbugs	0m 25s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
-1 ❌	spotbugs	1m 0s	/branch-spotbugs-hadoop-mapreduce-project_hadoop-mapreduce-client_hadoop-mapreduce-client-core-warnings.html	hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core in trunk has 178 extant spotbugs warnings.
-1 ❌	spotbugs	0m 41s	/branch-spotbugs-hadoop-mapreduce-project_hadoop-mapreduce-client_hadoop-mapreduce-client-app-warnings.html	hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app in trunk has 39 extant spotbugs warnings.
+1 💚	shadedclient	15m 14s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 18s		Maven dependency ordering for patch
+1 💚	mvninstall	0m 45s		the patch passed
+1 💚	compile	8m 16s		the patch passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javac	8m 16s		the patch passed
+1 💚	compile	8m 45s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	javac	8m 45s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	1m 31s	/results-checkstyle-root.txt	root: The patch generated 2 new + 101 unchanged - 0 fixed = 103 total (was 101)
+1 💚	mvnsite	1m 24s		the patch passed
-1 ❌	javadoc	0m 27s	/results-javadoc-javadoc-hadoop-mapreduce-project_hadoop-mapreduce-client_hadoop-mapreduce-client-app-jdkUbuntu-21.0.7+6-Ubuntu-0ubuntu120.04.txt	hadoop-mapreduce-project_hadoop-mapreduce-client_hadoop-mapreduce-client-app-jdkUbuntu-21.0.7+6-Ubuntu-0ubuntu120.04 with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 generated 1 new + 1124 unchanged - 0 fixed = 1125 total (was 1124)
+1 💚	javadoc	1m 10s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+0 🆗	spotbugs	0m 19s		hadoop-project has no data from spotbugs
+1 💚	shadedclient	14m 51s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 21s		hadoop-project in the patch passed.
+1 💚	unit	5m 59s		hadoop-mapreduce-client-core in the patch passed.
+1 💚	unit	5m 53s		hadoop-mapreduce-client-app in the patch passed.
-1 ❌	asflicense	0m 35s	/results-asflicense.txt	The patch generated 1 ASF License warnings.
		120m 21s

Subsystem	Report/Notes
Docker	ClientAPI=1.52 ServerAPI=1.52 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8100/1/artifact/out/Dockerfile
GITHUB PR	#8100
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint markdownlint
uname	Linux 7496e8feb77a 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / `6705730`
Default Java	Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8100/1/testReport/
Max. process+thread count	1595 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-app U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8100/1/console
versions	git=2.25.1 maven=3.9.11 spotbugs=4.9.7
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org