hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathaniel Braun <n.br...@criteo.com>
Subject RE: HTTPFS without impersonation
Date Wed, 03 Jun 2015 12:03:06 GMT
Hi,

We want to let users & teams be able to run their HTTPFS in order to isolate instances.
One team thus cannot crash another team's HTTPFS instance.

Now, I make the following request:

curl "localhost:14000/webhdfs/v1/user/team_user?op=LISTSTATUS&user.name=team_user"

And I get the following response:

{"RemoteException":{"message":"User: team_user is not allowed to impersonate team_user","exception":"RemoteException","javaClassName":"org.apache.hadoop.ipc.RemoteException"}}

Thanks,
Nathaniel

From: Larry McCay [mailto:lmccay@hortonworks.com]
Sent: mercredi 3 juin 2015 13:57
To: user@hadoop.apache.org
Subject: Re: HTTPFS without impersonation

Out of curiosity, what is the added benefit of having HttpFs run as separate team users give
you?
If the APIs are invoked with SPNEGO or a user.name of the appropriate user don't you get the
same permissions based protections?

Generally speaking, gateways such as HttpFs provide access on behalf of endusers.

On Jun 3, 2015, at 7:44 AM, Nathaniel Braun <n.braun@criteo.com<mailto:n.braun@criteo.com>>
wrote:


Hi,

Thanks for your answer.

With this setup, only the HTTP user will be able to impersonate other users, so HTTPFS has
to run with the HTTP user.

Instead, I need users to run HTTPFS with their own user, not with the HTTP user.

Thanks

From: Wellington Chevreuil [mailto:wellington.chevreuil@gmail.com]
Sent: mercredi 3 juin 2015 13:41
To: user@hadoop.apache.org<mailto:user@hadoop.apache.org>
Subject: Re: HTTPFS without impersonation


Hi, do u have below property on core-site.xml file used by your hdfs?

<property>
    <name>hadoop.proxyuser.HTTP.hosts</name>
    <value>*</value>
  </property>
  <property>
    <name>hadoop.proxyuser.HTTP.groups</name>
    <value>*</value>
  </property>
Hello all,

We need to run several HTTPFS instances on our Hadoop cluster, with different users (basically,
one HTTPFS per team).

In our setup, each HTTPFS instance runs as a team user and is allowed write access to that
user's directory only (so, HTTPFS does not run as the httpfs user).

However, this setup does not work, as we get exceptions related to impersonation, such as
this one:

{"RemoteException":{"message":"User: team_user is not allowed to impersonateteam_user","exception":"RemoteException","javaClassName":"org.apache.hadoop.ipc.RemoteException"}}

So, it seems that HTTPFS unconditionally tries to impersonate a user, even though it's running
as that same user. Is there a way to somehow disable impersonation?

Thanks for your help.

Regards,
Nathaniel


Mime
View raw message