Hadoop MapReduce Application Manager based security filter

A security filtering mechanism inside the Application Master prevents unauthorized mapper or reducer implementations from running within the cluster. This feature ensures that only approved classes or packages are executed inside containers, protecting the cluster from unwanted or unsafe task implementations that may introduce performance, stability, or security risks.

In a standard flow, a user submits a job to the Resource Manager (RM), which assigns it to a Node Manager (NM) where the Application Master (AM) is launched. The AM then requests containers from the cluster to execute mapper and reducer tasks.

Application Master Behavior Change

With this feature enabled, the Application Master performs the following security checks during job initialization:

• Extracts mapper and reducer class names from the job configuration.
• Compares these classes against configured blocklist patterns.
• If a match is found, it checks if the job submitter is in the allowed users allowlist.
• If not allowlisted, the AM blocks container startup and provides a clear, actionable error message.
• If all checks pass, AM proceeds with launching task containers normally.