[jira] [Commented] (HADOOP-9999) allow access to the DFS job submission + staging directory by members of the job submitters group

Mon, 07 Oct 2013 15:16:35 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-9999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13788640#comment-13788640
 ] 

Aaron T. Myers commented on HADOOP-9999:
----------------------------------------

Hi Bradley, I don't necessarily think this is the right fix, since it only 
works in the case that the job submitter shares a group with the user running 
the JT, which shouldn't have to be the case. Regardless, this doesn't seem like 
a Hadoop Common issue, but rather an MR one, so I'm going to move the JIRA over 
there.

> allow access to the DFS job submission + staging directory by members of the 
> job submitters group
> -------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9999
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9999
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 1.2.1, 2.0.5-alpha
>         Environment: linux
>            Reporter: bradley childs
>         Attachments: HADOOP-1.2-PERM.patch, hadoop-2.0.5-perm.patch
>
>
> The job submission and staging directories are explicitly given 0700 
> permissions restricting access of job submission files only to the submitter 
> UID. this prevents hadoop daemon services running under different UIDs from 
> reading the job submitters files.  it is common unix practice to run daemon 
> services under their own UIDs for security purposes.
> This bug can be demonstrated by creating a single node configuration, which 
> runs LocalFileSystem and not HDFS.  Create two users and add them to a 
> 'hadoop' group.  Start the hadoop services with one of the users, then submit 
> a map/reduce job with the other user (or run one of the examples).  Job 
> submission ultimately fails and the M/R job doesn't execute.
> The fix is simple enough and secure-- change the staging directory 
> permissions to 2750.  i have demonstrated the patch against 2.0.5 (along  
> with another fix for an incorrect decimal->octal conversion) and will attach 
> the patch.
> this bug is present since very early versions.  i would like to fix it at the 
> lowest level as  it's a simple file mode change in all versions, and 
> localized to one file.  is this possible?



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to