Sean Busbey created ACCUMULO-2806:
-------------------------------------
Summary: Accumulo init should ensure wals and tables are not world readable
Key: ACCUMULO-2806
URL: https://issues.apache.org/jira/browse/ACCUMULO-2806
Project: Accumulo
Issue Type: Bug
Affects Versions: 1.6.0
Reporter: Sean Busbey
Priority: Critical
Fix For: 1.6.1, 1.7.0
Just did an init on a new 1.6.1-SNAP cluster, and noticed the following permissions:
{noformat}
dfs -ls /
Found 4 items
drwxr-xr-x - accumulo supergroup 0 2014-05-14 09:48 /accumulo
drwxr-xr-x - hdfs supergroup 0 2014-05-14 08:10 /jobtracker
drwxrwxrwx - hdfs supergroup 0 2014-05-14 08:10 /tmp
drwxr-xr-x - hdfs supergroup 0 2014-05-14 09:48 /user
-bash-4.1$ hdfs dfs -ls /accumulo
Found 3 items
drwxr-xr-x - accumulo supergroup 0 2014-05-14 09:55 /accumulo/instance_id
drwxr-xr-x - accumulo supergroup 0 2014-05-14 09:55 /accumulo/tables
drwxr-xr-x - accumulo supergroup 0 2014-05-14 09:55 /accumulo/version
{noformat}
I previously set up /accumulo as 755, under the understanding that clients need access to
/accumulo/instance_id
things to fix
# make init chmod tables and wals to 700, as a defensive measure to avoid data leaks
# maybe also make sure if the trash is enabled that our user directory is also not world readable
# If clients don't need access to instance_id, include a check that the data dir is not world
readable
Workaround: manually change permissions after init
--
This message was sent by Atlassian JIRA
(v6.2#6252)
|