[jira] [Commented] (HADOOP-9999) allow access to the DFS job submission + staging directory by members of the job submitters group

Thu, 03 Oct 2013 08:45:28 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-9999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13785289#comment-13785289
 ] 

Hadoop QA commented on HADOOP-9999:
-----------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest 
attachment 
  http://issues.apache.org/jira/secure/attachment/12606593/HADOOP-1.2-PERM.patch
  against trunk revision .

    {color:red}-1 patch{color}.  The patch command could not apply the patch.

Console output: 
https://builds.apache.org/job/PreCommit-HADOOP-Build/3161//console

This message is automatically generated.

> allow access to the DFS job submission + staging directory by members of the 
> job submitters group
> -------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9999
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9999
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 1.2.1, 2.0.5-alpha
>         Environment: linux
>            Reporter: bradley childs
>         Attachments: HADOOP-1.2-PERM.patch, hadoop-2.0.5-perm.patch
>
>
> The job submission and staging directories are explicitly given 0700 
> permissions restricting access of job submission files only to the submitter 
> UID. this prevents hadoop daemon services running under different UIDs from 
> reading the job submitters files.  it is common unix practice to run daemon 
> services under their own UIDs for security purposes.
> This bug can be demonstrated by creating a single node configuration, which 
> runs LocalFileSystem and not HDFS.  Create two users and add them to a 
> 'hadoop' group.  Start the hadoop services with one of the users, then submit 
> a map/reduce job with the other user (or run one of the examples).  Job 
> submission ultimately fails and the M/R job doesn't execute.
> The fix is simple enough and secure-- change the staging directory 
> permissions to 2750.  i have demonstrated the patch against 2.0.5 (along  
> with another fix for an incorrect decimal->octal conversion) and will attach 
> the patch.
> this bug is present since very early versions.  i would like to fix it at the 
> lowest level as  it's a simple file mode change in all versions, and 
> localized to one file.  is this possible?



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to