[jira] [Moved] (MAPREDUCE-5571) allow access to the DFS job submission + staging directory by members of the job submitters group

Mon, 07 Oct 2013 15:16:29 -0700 

     [ 
https://issues.apache.org/jira/browse/MAPREDUCE-5571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aaron T. Myers moved HADOOP-9999 to MAPREDUCE-5571:
---------------------------------------------------

    Affects Version/s:     (was: 2.0.5-alpha)
                           (was: 1.2.1)
                       1.2.1
                       2.0.5-alpha
                  Key: MAPREDUCE-5571  (was: HADOOP-9999)
              Project: Hadoop Map/Reduce  (was: Hadoop Common)

> allow access to the DFS job submission + staging directory by members of the 
> job submitters group
> -------------------------------------------------------------------------------------------------
>
>                 Key: MAPREDUCE-5571
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-5571
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>    Affects Versions: 2.0.5-alpha, 1.2.1
>         Environment: linux
>            Reporter: bradley childs
>         Attachments: HADOOP-1.2-PERM.patch, hadoop-2.0.5-perm.patch
>
>
> The job submission and staging directories are explicitly given 0700 
> permissions restricting access of job submission files only to the submitter 
> UID. this prevents hadoop daemon services running under different UIDs from 
> reading the job submitters files.  it is common unix practice to run daemon 
> services under their own UIDs for security purposes.
> This bug can be demonstrated by creating a single node configuration, which 
> runs LocalFileSystem and not HDFS.  Create two users and add them to a 
> 'hadoop' group.  Start the hadoop services with one of the users, then submit 
> a map/reduce job with the other user (or run one of the examples).  Job 
> submission ultimately fails and the M/R job doesn't execute.
> The fix is simple enough and secure-- change the staging directory 
> permissions to 2750.  i have demonstrated the patch against 2.0.5 (along  
> with another fix for an incorrect decimal->octal conversion) and will attach 
> the patch.
> this bug is present since very early versions.  i would like to fix it at the 
> lowest level as  it's a simple file mode change in all versions, and 
> localized to one file.  is this possible?



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to