Jerry Richard created HDFS-17911:
------------------------------------
Summary: Inconsistent authorization feedback for privileged HDFS
commands executed by non-admin users
Key: HDFS-17911
URL: https://issues.apache.org/jira/browse/HDFS-17911
Project: Hadoop HDFS
Issue Type: Improvement
Components: hdfs
Reporter: Jerry Richard
When non-privileged users execute HDFS administrative/daemon commands:
* {{hdfs namenode}}
* {{hdfs datanode}}
* {{hdfs secondarynamenode}}
the commands proceed to partial execution and fail with
{*}environmental/configuration errors{*}, instead of failing early with an
{*}authorization error{*}.
Example from test results :
* NameNode → fails with missing VERSION file
* DataNode → fails with missing keytab
* SecondaryNameNode → fails due to HA restriction
However, another privileged command:
* {{hdfs mover}}
correctly fails with:
AccessControlException: Superuser privilege is required
>From a usability perspective, it would be better to explicitly prevent these
>commands from being executed at the user level (via CLI/script checks) unless
>the user has appropriate administrative privileges.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
