Koert, If you use the org.apache.hadoop.security.ShellBasedUnixGroupsMapping class (via hadoop.security.group.mapping), then yes the NameNode's view of the local unix groups (and the primary group) of the user is the final say on what groups the user belongs to. This can be relied on - but note that HDFS uses BSD style semantics when it comes to groups and when creating directories/files, the parent directory groups are inherited automatically unless altered after creation.
On Tue, Oct 9, 2012 at 2:30 AM, Koert Kuipers <ko...@tresata.com> wrote: > With secure hadoop the user name is authenticated by the kerberos server. > But what about the groups that the user is a member of? Are these simple the > groups that the user is a member of on the namenode machine? > Is it viable to manage access to files on HDFS using groups on a secure > hadoop cluster? > -- Harsh J
