[
https://issues.apache.org/jira/browse/HADOOP-11321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14227070#comment-14227070
]
Chris Nauroth edited comment on HADOOP-11321 at 11/27/14 12:57 AM:
-------------------------------------------------------------------
bq. Is there a native API on Windows that creates a file with certain
permissions?
I think this would be
[{{CreateFile}}|http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx]
with the fourth argument containing a security descriptor with a DACL and
[{{CreateDirectory}}|http://msdn.microsoft.com/en-us/library/windows/desktop/aa363855%28v=vs.85%29.aspx]
with the same in the second argument. I had thought this would still get
blocked for lack of the {{WRITE_DAC}} right, but after playing around with this
more, it seems like {{WRITE_DAC}} is only enforced on modification of an
existing object, not on creation of a new file or directory. Maybe I had an
incorrect assumption.
I'm attaching a demo patch with some scratch code that shows how this works for
directory creation. We'd need to plug something like this into JNI calls. On
Linux, we'd need to do the equivalent for {{creat}} and {{mkdir}}.
I agree with the other benefits of this approach you mentioned, Colin. I'm
going to experiment with this more and see if it's feasible. I'll report back
later.
was (Author: cnauroth):
bq. Is there a native API on Windows that creates a file with certain
permissions?
I think this would be
[{{CreateFile}}|http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx]
with the fourth argument containing a security descriptor with a DACL and
[{{CreateDirectory}}|http://msdn.microsoft.com/en-us/library/windows/desktop/aa363855%28v=vs.85%29.aspx].
I had thought this would still get blocked for lack of the {{WRITE_DAC}}
right, but after playing around with this more, it seems like {{WRITE_DAC}} is
only enforced on modification of an existing object, not on creation of a new
file or directory. Maybe I had an incorrect assumption.
I'm attaching a demo patch with some scratch code that shows how this works for
directory creation. We'd need to plug something like this into JNI calls. On
Linux, we'd need to do the equivalent for {{creat}} and {{mkdir}}.
I agree with the other benefits of this approach you mentioned, Colin. I'm
going to experiment with this more, and I'll report back later.
> copyToLocal cannot save a file to an SMB share unless the user has Full
> Control permissions.
> --------------------------------------------------------------------------------------------
>
> Key: HADOOP-11321
> URL: https://issues.apache.org/jira/browse/HADOOP-11321
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs
> Affects Versions: 2.6.0
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HADOOP-11321.1.patch, HADOOP-11321.2.patch,
> winutils.tmp.patch
>
>
> In Hadoop 2, it is impossible to use {{copyToLocal}} to copy a file from HDFS
> to a destination on an SMB share. This is because in Hadoop 2, the
> {{copyToLocal}} maps to 2 underlying {{RawLocalFileSystem}} operations:
> {{create}} and {{setPermission}}. On an SMB share, the user may be
> authorized for the {{create}} but denied for the {{setPermission}}. Windows
> denies the {{WRITE_DAC}} right required by {{setPermission}} unless the user
> has Full Control permissions. Granting Full Control isn't feasible for most
> deployments, because it's insecure. This is a regression from Hadoop 1,
> where {{copyToLocal}} only did a {{create}} and didn't do a separate
> {{setPermission}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
