Enable and define security policies to restrict mapper and reducer implementations in
mapred-site.xml.
-
Enable the security filtering feature, by setting the following property in
mapred-site.xml
mapreduce.security.enabled = true
-
Use the
mapreduce.security.denied-tasks property to provide a
list of class or package patterns and define denied tasks by specifying
forbidden Java classes or packages.
Example patterns:
org.apache.hadoop.streamingorg.apache.hadoop.streaming.PipeMappercom.example.internal
-
Configure allowlisted users to bypass the denied list.
Use the mapreduce.security.allowed-users property to specify
clusters that may need to run restricted code for legitimate reasons, such
as system-level ETL pipelines.
If you are in this allowlist, the blocklist rules are ignored for the
submitted jobs.
This establishes stronger security boundaries within Hadoop MapReduce, enabling
administrator-defined control over allowed code paths, and offering protection
against the deliberate or unintentional use of unsafe task implementations.
Furthermore, the system provides fine-grained flexibility by allowing allowlisted
users for exceptional cases.
