[jira] Commented: (HADOOP-2543) No-permission-checking mode for smooth transition to 0.16's permissions features.

[Allen Wittenauer (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-2543?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12559155#action_12559155
 ] 

Allen Wittenauer commented on HADOOP-2543:
------------------------------------------

I disagree.    Permissions are a security feature.  It is much better to be 
safe than backwards compatible when implementing security features.

>From an ops perspective, this is the way in which I see the upgrade happening:

1. upgrade to 0.16 w/perms off.
2. use chown and chmod manually set to set proper ownership and perms
3. turn perms on.

There is significant risk that files may get missed during step 2.  It is MUCH 
safer from a security perspective to set the default perms to x00 than x77.  
This is especially important given that there is *no* way to audit who is 
accessing what files in Hadoop.  It is a *good* thing if users notice that they 
lost access to files they previously had access to--it means the permissions 
are either incorrect, got missed, or the file perms need to be re-evaluated.

Additionally, setting x77 means that there is a potential window where missed 
files can be co-opted by someone who shouldn't have them.

That said: all those requiring backwards compatibility should just keep perms 
turned off.  


> No-permission-checking mode for smooth transition to 0.16's permissions 
> features. 
> ----------------------------------------------------------------------------------
>
>                 Key: HADOOP-2543
>                 URL: https://issues.apache.org/jira/browse/HADOOP-2543
>             Project: Hadoop
>          Issue Type: New Feature
>          Components: dfs
>    Affects Versions: 0.15.1
>            Reporter: Sanjay Radia
>            Assignee: Hairong Kuang
>             Fix For: 0.16.0
>
>
> In moving to 0.16,  which will support permissions, a mode of no-permission 
> checking has been proposed to allow smooth transition to using the new 
> permissions feature.
> The idea is that at first 0.16 will be used for a period of time with 
> permission checking off. 
> Later after the admin has changed ownership and permissions of various files, 
> the permission checking can be turned off.
> This Jira defines what the semantics are of the no-permission-checking mode.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.