[ https://issues.apache.org/jira/browse/MAPREDUCE-5571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13789363#comment-13789363 ]
bradley childs commented on MAPREDUCE-5571: ------------------------------------------- hi aaron, i agree there could be more relaxed scenarios, but this would be a huge step enabling the most basic: * data set owned by 'hadoop' group * members of 'hadoop' group have some access to data set (full access determined by owner) * non members are restricted from viewing data set. Or not, this isn't a hard requirement but may be restricted by owner. * users in hadoop group can run map/reduce jobs against data set. I feel that a patch to externalize these permissions to a configuration option is more acceptable but the code bulk is less likely to get accepted. Note that these are also BUGS. The decimal-->octal conversion forced by the 0700 and 0644 value result in unexpected octal values for the permissions. A simple System.out.println((short)0700); and System.out.println((short)0644); will demonstrate the resulting values. > allow access to the DFS job submission + staging directory by members of the > job submitters group > ------------------------------------------------------------------------------------------------- > > Key: MAPREDUCE-5571 > URL: https://issues.apache.org/jira/browse/MAPREDUCE-5571 > Project: Hadoop Map/Reduce > Issue Type: Bug > Affects Versions: 1.2.1, 2.0.5-alpha > Environment: linux > Reporter: bradley childs > Attachments: HADOOP-1.2-PERM.patch, hadoop-2.0.5-perm.patch > > > The job submission and staging directories are explicitly given 0700 > permissions restricting access of job submission files only to the submitter > UID. this prevents hadoop daemon services running under different UIDs from > reading the job submitters files. it is common unix practice to run daemon > services under their own UIDs for security purposes. > This bug can be demonstrated by creating a single node configuration, which > runs LocalFileSystem and not HDFS. Create two users and add them to a > 'hadoop' group. Start the hadoop services with one of the users, then submit > a map/reduce job with the other user (or run one of the examples). Job > submission ultimately fails and the M/R job doesn't execute. > The fix is simple enough and secure-- change the staging directory > permissions to 2750. i have demonstrated the patch against 2.0.5 (along > with another fix for an incorrect decimal->octal conversion) and will attach > the patch. > this bug is present since very early versions. i would like to fix it at the > lowest level as it's a simple file mode change in all versions, and > localized to one file. is this possible? -- This message was sent by Atlassian JIRA (v6.1#6144)