[
https://issues.apache.org/jira/browse/MAPREDUCE-5571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13789363#comment-13789363
]
bradley childs commented on MAPREDUCE-5571:
-------------------------------------------
hi aaron,
i agree there could be more relaxed scenarios, but this would be a huge step
enabling the most basic:
* data set owned by 'hadoop' group
* members of 'hadoop' group have some access to data set (full access
determined by owner)
* non members are restricted from viewing data set. Or not, this isn't a hard
requirement but may be restricted by owner.
* users in hadoop group can run map/reduce jobs against data set.
I feel that a patch to externalize these permissions to a configuration option
is more acceptable but the code bulk is less likely to get accepted.
Note that these are also BUGS. The decimal-->octal conversion forced by the
0700 and 0644 value result in unexpected octal values for the permissions. A
simple System.out.println((short)0700); and System.out.println((short)0644);
will demonstrate the resulting values.
> allow access to the DFS job submission + staging directory by members of the
> job submitters group
> -------------------------------------------------------------------------------------------------
>
> Key: MAPREDUCE-5571
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-5571
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Affects Versions: 1.2.1, 2.0.5-alpha
> Environment: linux
> Reporter: bradley childs
> Attachments: HADOOP-1.2-PERM.patch, hadoop-2.0.5-perm.patch
>
>
> The job submission and staging directories are explicitly given 0700
> permissions restricting access of job submission files only to the submitter
> UID. this prevents hadoop daemon services running under different UIDs from
> reading the job submitters files. it is common unix practice to run daemon
> services under their own UIDs for security purposes.
> This bug can be demonstrated by creating a single node configuration, which
> runs LocalFileSystem and not HDFS. Create two users and add them to a
> 'hadoop' group. Start the hadoop services with one of the users, then submit
> a map/reduce job with the other user (or run one of the examples). Job
> submission ultimately fails and the M/R job doesn't execute.
> The fix is simple enough and secure-- change the staging directory
> permissions to 2750. i have demonstrated the patch against 2.0.5 (along
> with another fix for an incorrect decimal->octal conversion) and will attach
> the patch.
> this bug is present since very early versions. i would like to fix it at the
> lowest level as it's a simple file mode change in all versions, and
> localized to one file. is this possible?
--
This message was sent by Atlassian JIRA
(v6.1#6144)
