HBase mulit-user security

[Tony Dean]

Hi,

Looking at this further, it appears that when HBaseRPC is creating a proxy 
(e.g., SecureRpcEngine), it injects the current user:
User.getCurrent() which by default is the cached Kerberos TGT (kinit'ed user - 
using the hadoop-user-kerberos JAAS context).

Since the server proxy always uses User.getCurrent(), how can an application 
inject the user it wants to use for authorization checks on the peer (region 
server)?

And since SecureHadoopUser is a static class, how can you have more than 1 
active user in the same application?

What you have works for a single user application like the hbase shell, but 
what about a multi-user application?

Am I missing something?

Thanks!

-Tony

-Original Message-
From: Alejandro Abdelnur [mailto:t...@cloudera.com] 
Sent: Monday, July 02, 2012 11:40 AM
To: common-user@hadoop.apache.org
Subject: Re: hadoop security API (repost)

Tony,

If you are doing a server app that interacts with the cluster on behalf of 
different users (like Ooize, as you mentioned in your email), then you should 
use the proxyuser capabilities of Hadoop.

* Configure user MYSERVERUSER as proxyuser in Hadoop core-site.xml (this 
requires 2 properties settings, HOSTS and GROUPS).
* Run your server app as MYSERVERUSER and have a Kerberos principal 
MYSERVERUSER/MYSERVERHOST
* Initialize your server app loading the MYSERVERUSER/MYSERVERHOST keytab
* Use the UGI.doAs() to create JobClient/Filesystem instances using the user 
you want to do something on behalf
* Keep in mind that all the users you need to do something on behalf should be 
valid Unix users in the cluster
* If those users need direct access to the cluster, they'll have to be also 
defined in in the KDC user database.

Hope this helps.

Thx

On Mon, Jul 2, 2012 at 6:22 AM, Tony Dean tony.d...@sas.com wrote:
 Yes, but this will not work in a multi-tenant environment.  I need to be able 
 to create a Kerberos TGT per execution thread.

 I was hoping through JAAS that I could inject the name of the current 
 principal and authenticate against it.  I'm sure there is a best practice for 
 hadoop/hbase client API authentication, just not sure what it is.

 Thank you for your comment.  The solution may well be associated with the 
 UserGroupInformation class.  Hopefully, other ideas will come from this 
 thread.

 Thanks.

 -Tony

 -Original Message-
 From: Ivan Frain [mailto:ivan.fr...@gmail.com]
 Sent: Monday, July 02, 2012 8:14 AM
 To: common-user@hadoop.apache.org
 Subject: Re: hadoop security API (repost)

 Hi Tony,

 I am currently working on this to access HDFS securely and programmaticaly.
 What I have found so far may help even if I am not 100% sure this is the 
 right way to proceed.

 If you have already obtained a TGT from the kinit command, hadoop library 
 will locate it automatically if the name of the ticket cache corresponds to 
 default location. On Linux it is located /tmp/krb5cc_uid-number.

 For example, with my linux user hdfs, I get a TGT for hadoop user 'ivan'
 meaning you can impersonate ivan from hdfs linux user:
 --
 hdfs@mitkdc:~$ klist
 Ticket cache: FILE:/tmp/krb5cc_10003
 Default principal: i...@hadoop.lan

 Valid startingExpires   Service principal
 02/07/2012 13:59  02/07/2012 23:59  krbtgt/hadoop@hadoop.lan renew 
 until 03/07/2012 13:59
 ---

 Then, you just have to set the right security options in your hadoop client 
 in java and the identity will be i...@hadoop.lan for our example. In my 
 tests, I only use HDFS and here a snippet of code to have access to a secure 
 hdfs cluster assuming the previous TGT (ivan's impersonation):

 
  val conf: HdfsConfiguration = new HdfsConfiguration()
  
 conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
 kerberos)
  
 conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
 true)
  conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, 
 serverPrincipal)

  UserGroupInformation.setConfiguration(conf)

  val fs = FileSystem.get(new URI(hdfsUri), conf)
 

 Using this 'fs' is a handler to access hdfs securely as user 'ivan' even if 
 ivan does not appear in the hadoop client code.

 Anyway, I also see two other options:
   * Setting the KRB5CCNAME environment variable to point to the right 
 ticketCache file
   * Specifying the keytab file you want to use from the UserGroupInformation 
 singleton API:
 UserGroupInformation.loginUserFromKeytab(user, keytabFile)

 If you want to understand the auth process and the different options to 
 login, I guess you need to have a look to the UserGroupInformation.java 
 source code (release 0.23.1 link: http://bit.ly/NVzBKL). The private class 
 HadoopConfiguration line 347 is of major interest in our case.

 Another point is that I did not find any easy way to prompt the user

RE: hadoop security API (repost)

[Tony Dean]

Yes, but this will not work in a multi-tenant environment.  I need to be able 
to create a Kerberos TGT per execution thread.

I was hoping through JAAS that I could inject the name of the current principal 
and authenticate against it.  I'm sure there is a best practice for 
hadoop/hbase client API authentication, just not sure what it is.

Thank you for your comment.  The solution may well be associated with the 
UserGroupInformation class.  Hopefully, other ideas will come from this thread.

Thanks.

-Tony

-Original Message-
From: Ivan Frain [mailto:ivan.fr...@gmail.com] 
Sent: Monday, July 02, 2012 8:14 AM
To: common-user@hadoop.apache.org
Subject: Re: hadoop security API (repost)

Hi Tony,

I am currently working on this to access HDFS securely and programmaticaly.
What I have found so far may help even if I am not 100% sure this is the right 
way to proceed.

If you have already obtained a TGT from the kinit command, hadoop library will 
locate it automatically if the name of the ticket cache corresponds to 
default location. On Linux it is located /tmp/krb5cc_uid-number.

For example, with my linux user hdfs, I get a TGT for hadoop user 'ivan'
meaning you can impersonate ivan from hdfs linux user:
--
hdfs@mitkdc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10003
Default principal: i...@hadoop.lan

Valid startingExpires   Service principal
02/07/2012 13:59  02/07/2012 23:59  krbtgt/hadoop@hadoop.lan renew until 
03/07/2012 13:59
---

Then, you just have to set the right security options in your hadoop client in 
java and the identity will be i...@hadoop.lan for our example. In my tests, I 
only use HDFS and here a snippet of code to have access to a secure hdfs 
cluster assuming the previous TGT (ivan's impersonation):


 val conf: HdfsConfiguration = new HdfsConfiguration()
 conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
kerberos)
 conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
true)
 conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, serverPrincipal)

 UserGroupInformation.setConfiguration(conf)

 val fs = FileSystem.get(new URI(hdfsUri), conf)


Using this 'fs' is a handler to access hdfs securely as user 'ivan' even if 
ivan does not appear in the hadoop client code.

Anyway, I also see two other options:
  * Setting the KRB5CCNAME environment variable to point to the right 
ticketCache file
  * Specifying the keytab file you want to use from the UserGroupInformation 
singleton API:
UserGroupInformation.loginUserFromKeytab(user, keytabFile)

If you want to understand the auth process and the different options to login, 
I guess you need to have a look to the UserGroupInformation.java source code 
(release 0.23.1 link: http://bit.ly/NVzBKL). The private class 
HadoopConfiguration line 347 is of major interest in our case.

Another point is that I did not find any easy way to prompt the user for a 
password at runtim using the actual hadoop API. It appears to be somehow 
hardcoded in the UserGroupInformation singleton. I guess it could be nice to 
have a new function to give to the UserGroupInformation an authenticated 
'Subject' which could override all default configurations. If someone have 
better ideas it could be nice to discuss on it as well.


BR,
Ivan

2012/7/1 Tony Dean tony.d...@sas.com

 Hi,

 The security documentation specifies how to test a secure cluster by 
 using kinit and thus adding the Kerberos principal TGT to the ticket 
 cache in which the hadoop client code uses to acquire service tickets 
 for use in the cluster.
 What if I created an application that used the hadoop API to 
 communicate with hdfs and/or mapred protocols, is there a programmatic 
 way to inform hadoop to use a particular Kerberos principal name with 
 a keytab that contains its password key?  I didn't see a way to 
 integrate with JAAS KrbLoginModule.
 I was thinking that if I could inject a callbackHandler, I could pass 
 the principal name and the KrbLoginModule already has options to 
 specify keytab.
 Is this something that is possible?  Or is this just not the right way 
 to do things?

 I read about impersonation where authentication is performed with a 
 system user such as oozie and then it just impersonates other users 
 so that permissions are based on the impersonated user instead of the 
 system user.

 Please help me understand my options for executing hadoop tasks in a 
 multi-tenant application.

 Thank you!





--
Ivan Frain
11, route de Grenade
31530 Saint-Paul-sur-Save
mobile: +33 (0)6 52 52 47 07

RE: hadoop security API (repost)

[Tony Dean]

Alejandro,

Thanks for the reply.  My intent is to also be able to scan/get/put hbase 
tables under a specified identity as well.  What options do I have to perform 
the same multi-tenant  authorization for these operations?  I have posted this 
to hbase users distribution list as well, but thought you might have insight.  
Since hbase security authentication is so dependent upon hadoop, it would be 
nice if your suggestion worked for hbase as well.

Getting back to your suggestion... when configuring 
hadoop.proxyuser.myserveruser.hosts, host1 would be where I'm making the 
ugi.doAs() privileged call and host2 is the hadoop namenode?

Also, an another option, is there not a way for an application to pass 
hadoop/hbase authentication the name of a Kerberos principal to use?  In this 
case, no proxy, just execute as the designated user.

Thanks.

-Tony

-Original Message-
From: Alejandro Abdelnur [mailto:t...@cloudera.com] 
Sent: Monday, July 02, 2012 11:40 AM
To: common-user@hadoop.apache.org
Subject: Re: hadoop security API (repost)

Tony,

If you are doing a server app that interacts with the cluster on behalf of 
different users (like Ooize, as you mentioned in your email), then you should 
use the proxyuser capabilities of Hadoop.

* Configure user MYSERVERUSER as proxyuser in Hadoop core-site.xml (this 
requires 2 properties settings, HOSTS and GROUPS).
* Run your server app as MYSERVERUSER and have a Kerberos principal 
MYSERVERUSER/MYSERVERHOST
* Initialize your server app loading the MYSERVERUSER/MYSERVERHOST keytab
* Use the UGI.doAs() to create JobClient/Filesystem instances using the user 
you want to do something on behalf
* Keep in mind that all the users you need to do something on behalf should be 
valid Unix users in the cluster
* If those users need direct access to the cluster, they'll have to be also 
defined in in the KDC user database.

Hope this helps.

Thx

On Mon, Jul 2, 2012 at 6:22 AM, Tony Dean tony.d...@sas.com wrote:
 Yes, but this will not work in a multi-tenant environment.  I need to be able 
 to create a Kerberos TGT per execution thread.

 I was hoping through JAAS that I could inject the name of the current 
 principal and authenticate against it.  I'm sure there is a best practice for 
 hadoop/hbase client API authentication, just not sure what it is.

 Thank you for your comment.  The solution may well be associated with the 
 UserGroupInformation class.  Hopefully, other ideas will come from this 
 thread.

 Thanks.

 -Tony

 -Original Message-
 From: Ivan Frain [mailto:ivan.fr...@gmail.com]
 Sent: Monday, July 02, 2012 8:14 AM
 To: common-user@hadoop.apache.org
 Subject: Re: hadoop security API (repost)

 Hi Tony,

 I am currently working on this to access HDFS securely and programmaticaly.
 What I have found so far may help even if I am not 100% sure this is the 
 right way to proceed.

 If you have already obtained a TGT from the kinit command, hadoop library 
 will locate it automatically if the name of the ticket cache corresponds to 
 default location. On Linux it is located /tmp/krb5cc_uid-number.

 For example, with my linux user hdfs, I get a TGT for hadoop user 'ivan'
 meaning you can impersonate ivan from hdfs linux user:
 --
 hdfs@mitkdc:~$ klist
 Ticket cache: FILE:/tmp/krb5cc_10003
 Default principal: i...@hadoop.lan

 Valid startingExpires   Service principal
 02/07/2012 13:59  02/07/2012 23:59  krbtgt/hadoop@hadoop.lan renew 
 until 03/07/2012 13:59
 ---

 Then, you just have to set the right security options in your hadoop client 
 in java and the identity will be i...@hadoop.lan for our example. In my 
 tests, I only use HDFS and here a snippet of code to have access to a secure 
 hdfs cluster assuming the previous TGT (ivan's impersonation):

 
  val conf: HdfsConfiguration = new HdfsConfiguration()
  
 conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
 kerberos)
  
 conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
 true)
  conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, 
 serverPrincipal)

  UserGroupInformation.setConfiguration(conf)

  val fs = FileSystem.get(new URI(hdfsUri), conf)
 

 Using this 'fs' is a handler to access hdfs securely as user 'ivan' even if 
 ivan does not appear in the hadoop client code.

 Anyway, I also see two other options:
   * Setting the KRB5CCNAME environment variable to point to the right 
 ticketCache file
   * Specifying the keytab file you want to use from the UserGroupInformation 
 singleton API:
 UserGroupInformation.loginUserFromKeytab(user, keytabFile)

 If you want to understand the auth process and the different options to 
 login, I guess you need to have a look to the UserGroupInformation.java 
 source code (release 0.23.1 link: http

hadoop security API

[Tony Dean]

Hi,

The security documentation specifies how to test a secure cluster by using 
kinit and thus adding the Kerberos principal TGT to the ticket cache in which 
the hadoop client code uses to acquire service tickets for use in the cluster.  
What if I created an application that used the hadoop API to communicate with 
hdfs and/or mapred protocols, is there a programmatic way to inform hadoop to 
use a particular Kerberos principal name with a keytab that contains its 
password key?  I didn't see a way to integrate with JAAS KrbLoginModule.  I was 
thinking that if I could inject a callbackHandler, I could pass the principal 
name and the KrbLoginModule already has options to specify keytab.  Is this 
something that is possible?  Or is this just not the right way to do things?  I 
read about impersonation where authentication is performed with a system user 
such as oozie and then it just impersonates other users so that permissions 
are based on the impersonated user instead of the system user.

Please help me understand my options for executing hadoop tasks in a 
multi-tenant application.

Thank you!

Tony Dean
SAS Institute Inc.
Senior Software Developer
919-531-6704

hadoop security API (repost)

[Tony Dean]

Hi,

The security documentation specifies how to test a secure cluster by using
kinit and thus adding the Kerberos principal TGT to the ticket cache in which
the hadoop client code uses to acquire service tickets for use in the cluster.
What if I created an application that used the hadoop API to communicate with
hdfs and/or mapred protocols, is there a programmatic way to inform hadoop to
use a particular Kerberos principal name with a keytab that contains its
password key?  I didn't see a way to integrate with JAAS KrbLoginModule.
I was thinking that if I could inject a callbackHandler, I could pass the
principal name and the KrbLoginModule already has options to specify keytab.
Is this something that is possible?  Or is this just not the right way to do 
things?

I read about impersonation where authentication is performed with a system user 
such
as oozie and then it just impersonates other users so that permissions are 
based on
the impersonated user instead of the system user.

Please help me understand my options for executing hadoop tasks in a 
multi-tenant application.

Thank you!

RE: hadoop kerberos security / unix kdc

[Tony Dean]

I have been looking at this for 2 days now with no avail... does anyone know 
why I would be getting a checksum error when I have validated my keys.

I actually deleted my service principals from kdc DB and added them back with a 
human readable password instead of random key.  I regenerated my keytab with 
those service principal.  From namenode, I am able to kinit to the kdc with and 
without the keytab.  However, when I start the namenode, I still get checksum.  
I even tried a different kdc (older 1.8 instead of new 1.9.1) and received the 
same exception.

It has to be something simple, but I just can't figure it out.

If anyone has any ideas please let me know.

The latest traces are as follows:

Found key for host/rdcesx10030.race.sas@obsidian.sas.com(23)
Found key for host/rdcesx10030.race.sas@obsidian.sas.com(18)
Found ticket for host/rdcesx10030.race.sas@obsidian.sas.com to go to 
krbtgt/obsidian.sas@obsidian.sas.com expiring on Mon Jul 02 00:33:02 EDT 
2012
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for host/rdcesx10030.race.sas@obsidian.sas.com to go to 
krbtgt/obsidian.sas@obsidian.sas.com expiring on Mon Jul 02 00:33:02 EDT 
2012
Service ticket not found in the subject
 Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17 18.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
Checksum failed !
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbKdcReq send: kdc=cikdc.unx.sas.com UDP:88, timeout=3, number of 
 retries =3, #bytes=716
 KDCCommunication: kdc=cikdc.unx.sas.com UDP:88, timeout=3,Attempt =1, 
 #bytes=716
12/07/01 00:33:05 INFO ipc.Server: IPC Server listener on 8020: readAndProcess 
threw exception javax.security.sasl.SaslException: GSS initiate failed [Caused 
by GSSException: Failure unspecified at GSS-API level (Mechanism level: 
Checksum failed)]. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
Failure unspecified at GSS-API level (Mechanism level: Checksum failed)]
at 
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
at 
org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1007)
at 
org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1180)
at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537)
at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: 
Checksum failed)
at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at 
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
... 7 more
Caused by: KrbException: Checksum failed
at 
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
at 
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268)
at sun.security.krb5.KrbApReq.init(KrbApReq.java:134)
at 
sun.security.jgss.krb5.InitSecContextToken.init(InitSecContextToken.java:79)
at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 10 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at 
sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
at 
sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
at 
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
... 16 more

Thanks!

_
From: Tony Dean
Sent: Friday, June 29, 2012 4:50 PM
To: 'common-user@hadoop.apache.org'
Subject: hadoop kerberos security / unix kdc


First, I'd like to thank the community for the time and effort they put into 
sharing their knowledge...

A few weeks back I was able to configure a secure hadoop/hbase cluster (MIT 
1.6.1 Kerberos on cluster) using a Windows Domain Controller/AD for the KDC.  
I'm using hadoop 1.0.3 and hbase 0.92.1-security distributions.

Now I am trying setup my own Unix KDC (MIT 1.9.1 Kerberos) against

RE: hadoop kerberos security / unix kdc

[Tony Dean]

Hadoop 1.0.3, JDK1.6.0_21 with JCE export jars for strong encryption.

-Original Message-
From: Owen O'Malley [mailto:omal...@apache.org] 
Sent: Friday, June 29, 2012 5:02 PM
To: common-user@hadoop.apache.org
Subject: Re: hadoop kerberos security / unix kdc

On Fri, Jun 29, 2012 at 1:50 PM, Tony Dean tony.d...@sas.com wrote:

  First, I’d like to thank the community for the time and effort they 
 put into sharing their knowledge…


Which version of Hadoop are you running? Which JDK are you using? You probably 
need HDFS-2617 and JDK 1.6.0_31.

-- Owen

RE: hadoop kerberos security / unix kdc

[Tony Dean]

I installed 1.6.0 update 33 ... it didn't help this situation.

-Original Message-
From: Owen O'Malley [mailto:omal...@apache.org] 
Sent: Friday, June 29, 2012 5:28 PM
To: common-user@hadoop.apache.org
Subject: Re: hadoop kerberos security / unix kdc

On Fri, Jun 29, 2012 at 2:07 PM, Tony Dean tony.d...@sas.com wrote:

 Hadoop 1.0.3, JDK1.6.0_21 with JCE export jars for strong encryption.


You need to move up to a JDK  1.6.0_27. I'd suggest 1.6.0_31.

For details, look at: http://wiki.apache.org/hadoop/HadoopJavaVersions

-- Owen

hbase client security (cluster is secure)

[Tony Dean]

Hi all,

I have created a hadoop/hbase/zookeeper cluster that is secured and verified.  
Now a simple test is to connect an hbase client (e.g, shell) to see its 
behavior.

Well, I get the following message on the hbase master: AccessControlException: 
authentication is required.

Looking at the code it appears that the client passed simple authentication 
byte in the rpc header.  Why, I don't know?

My client configuration is as follows:

hbase-site.xml:
   property
  namehbase.security.authentication/name
  valuekerberos/value
   /property

   property
  namehbase.rpc.engine/name
  valueorg.apache.hadoop.hbase.ipc.SecureRpcEngine/value
   /property

hbase-env.sh:
export HBASE_OPTS=$HBASE_OPTS 
-Djava.security.auth.login.config=/usr/local/hadoop/hbase/conf/hbase.jaas

hbase.jaas:
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=false
   useTicketCache=true
 };

I issue kinit for the client I want to use.  Then invoke hbase shell.  I simply 
issue list and see the error on the server.

Any ideas what I am doing wrong?

Thanks so much!


_
From: Tony Dean
Sent: Tuesday, June 05, 2012 5:41 PM
To: common-user@hadoop.apache.org
Subject: hadoop file permission 1.0.3 (security)


Can someone detail the options that are available to set file permissions at 
the hadoop and os level?  Here's what I have discovered thus far:

dfs.permissions  = true|false (works as advertised)
dfs.supergroup = supergroup (works as advertised)
dfs.umaskmode = umask (I believe this should be used in lieu of dfs.umask) - it 
appears to set the permissions for files created in hadoop fs (minus execute 
permission).
why was dffs.umask deprecated?  what's difference between the 2.
dfs.datanode.data.dir.perm = perm (not sure this is working at all?) I thought 
it was supposed to set permission on blks at the os level.

Are there any other file permission configuration properties?

What I would really like to do is set data blk file permissions at the os level 
so that the blocks can be locked down from all users except super and 
supergroup, but allow it to be used accessed by hadoop API as specified by hdfs 
permissions.  Is this possible?

Thanks.


Tony Dean
SAS Institute Inc.
Senior Software Developer
919-531-6704

  OLE Object: Picture (Device Independent Bitmap) 

hadoop file permission 1.0.3 (security)

[Tony Dean]

Can someone detail the options that are available to set file permissions at 
the hadoop and os level?  Here's what I have discovered thus far:

dfs.permissions  = true|false (works as advertised)
dfs.supergroup = supergroup (works as advertised)
dfs.umaskmode = umask (I believe this should be used in lieu of dfs.umask) - it 
appears to set the permissions for files created in hadoop fs (minus execute 
permission).
why was dffs.umask deprecated?  what's difference between the 2.
dfs.datanode.data.dir.perm = perm (not sure this is working at all?) I thought 
it was supposed to set permission on blks at the os level.

Are there any other file permission configuration properties?

What I would really like to do is set data blk file permissions at the os level 
so that the blocks can be locked down from all users except super and 
supergroup, but allow it to be used accessed by hadoop API as specified by hdfs 
permissions.  Is this possible?

Thanks.


Tony Dean
SAS Institute Inc.
Senior Software Developer
919-531-6704

RE: datanode security (v 1.0.3)

[Tony Dean]

Thank you.  That did the trick.

-Original Message-
From: Sheeba George [mailto:sheeba.geo...@gmail.com] 
Sent: Monday, June 04, 2012 1:29 AM
To: common-user@hadoop.apache.org
Subject: Re: datanode security (v 1.0.3)

Hi Tony ,

Please take a look at  https://issues.apache.org/jira/browse/HDFS-3402
The attached patch fixes the same problem.

Sheeba

On Sun, Jun 3, 2012 at 6:01 PM, Tony Dean tony.d...@sas.com wrote:

  Why is there no documentation on how to run a datanode in secure mode?
 Or have I just missed it.

 I've searched and found bits and pieces, but shouldn't this 
 information be in the security documentation?

 Well, my current state is this:


1. I understand that the datanode must use ports  1k so it must run
the threads doing this work as root.
2. I set an environment variable: HADOOP_SECURE_DN_USER so that the
datanode can swith to this user for normal work.
3. This keeps me from getting the Cannot start secure cluster without
privileged resources message.
4. But, now I'm getting


 03/06/2012 18:20:08 3809 jsvc.amd64 error: Invalid option -server
 03/06/2012 18:20:08 3809 jsvc.amd64 error: Cannot parse command line 
 arguments

 Does anyone know how to get this to work?  I'm new to Hadoop/HBase, 
 but the security documentation or lack thereof is a big turnoff thus far.

 I really appreciate any guidance here.

 Thanks!


 *Tony Dean*
 *SAS Institute Inc.*
 *Senior Software Developer*
 *919-531-6704*








--
Sheeba Ann George

how to run datanode in secure mode?

[Tony Dean]

Why is there no documentation on how to run a datanode in secure mode?  Or have 
I just missed it.

I've searched and found bits and pieces, but shouldn't this information be in 
the security documentation?  Is security built into the documentation as well 
as the code!

Well, my current state is this:

1.  I understand that the datanode must use ports  1k so it must run the 
threads doing this work as root.
2.  I set an environment variable: HADOOP_SECURE_DN_USER so that the 
datanode can swith to this user for normal work.
3.  This keeps me from getting the Cannot start secure cluster without 
privileged resources message.
4.  But, now I'm getting

03/06/2012 18:20:08 3809 jsvc.amd64 error: Invalid option -server
03/06/2012 18:20:08 3809 jsvc.amd64 error: Cannot parse command line arguments

Does anyone know how to get this to work?  I'm new to Hadoop/HBase, but the 
security documentation or lack thereof is a big turnoff.

I really appreciate any guidance here.

Thanks!

Tony Dean
SAS Institute Inc.
Senior Software Developer
919-531-6704

datanode security (v 1.0.3)

[Tony Dean]

Why is there no documentation on how to run a datanode in secure mode?  Or have 
I just missed it.

I've searched and found bits and pieces, but shouldn't this information be in 
the security documentation?

Well, my current state is this:

1.  I understand that the datanode must use ports  1k so it must run the 
threads doing this work as root.
2.  I set an environment variable: HADOOP_SECURE_DN_USER so that the 
datanode can swith to this user for normal work.
3.  This keeps me from getting the Cannot start secure cluster without 
privileged resources message.
4.  But, now I'm getting

03/06/2012 18:20:08 3809 jsvc.amd64 error: Invalid option -server
03/06/2012 18:20:08 3809 jsvc.amd64 error: Cannot parse command line arguments

Does anyone know how to get this to work?  I'm new to Hadoop/HBase, but the 
security documentation or lack thereof is a big turnoff thus far.

I really appreciate any guidance here.

Thanks!


Tony Dean
SAS Institute Inc.
Senior Software Developer
919-531-6704

RE: datanode security (v 1.0.3)

[Tony Dean]

sending again due to smtp failure.

_
From: Tony Dean
Sent: Sunday, June 03, 2012 9:02 PM
To: 'core-u...@hadoop.apache.org'
Subject: datanode security (v 1.0.3)


Why is there no documentation on how to run a datanode in secure mode?  Or have 
I just missed it.

I've searched and found bits and pieces, but shouldn't this information be in 
the security documentation?

Well, my current state is this:

1.  I understand that the datanode must use ports  1k so it must run the 
threads doing this work as root.
2.  I set an environment variable: HADOOP_SECURE_DN_USER so that the 
datanode can swith to this user for normal work.
3.  This keeps me from getting the Cannot start secure cluster without 
privileged resources message.
4.  But, now I'm getting

03/06/2012 18:20:08 3809 jsvc.amd64 error: Invalid option -server
03/06/2012 18:20:08 3809 jsvc.amd64 error: Cannot parse command line arguments

Does anyone know how to get this to work?  I'm new to Hadoop/HBase, but the 
security documentation or lack thereof is a big turnoff thus far.

I really appreciate any guidance here.

Thanks!


Tony Dean
SAS Institute Inc.
Senior Software Developer
919-531-6704

  OLE Object: Picture (Device Independent Bitmap)