Return-Path:
Delivered-To: apmail-hadoop-hdfs-commits-archive@minotaur.apache.org
Received: (qmail 34893 invoked from network); 4 Mar 2011 22:08:40 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
by minotaur.apache.org with SMTP; 4 Mar 2011 22:08:40 -0000
Received: (qmail 22663 invoked by uid 500); 4 Mar 2011 22:08:40 -0000
Delivered-To: apmail-hadoop-hdfs-commits-archive@hadoop.apache.org
Received: (qmail 22633 invoked by uid 500); 4 Mar 2011 22:08:40 -0000
Mailing-List: contact hdfs-commits-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: hdfs-dev@hadoop.apache.org
Delivered-To: mailing list hdfs-commits@hadoop.apache.org
Received: (qmail 22591 invoked by uid 99); 4 Mar 2011 22:08:40 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Mar 2011 22:08:40 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Mar 2011 22:08:32 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
id F23E22388906; Fri, 4 Mar 2011 22:08:09 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1078168 - in /hadoop/hdfs/branches/HDFS-1052: ./
src/c++/libhdfs/ src/contrib/hdfsproxy/
src/docs/src/documentation/content/xdocs/ src/java/
src/java/org/apache/hadoop/hdfs/server/datanode/
src/java/org/apache/hadoop/hdfs/tools/ src/test/h...
Date: Fri, 04 Mar 2011 22:08:09 -0000
To: hdfs-commits@hadoop.apache.org
From: suresh@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20110304220809.F23E22388906@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: suresh
Date: Fri Mar 4 22:08:09 2011
New Revision: 1078168
URL: http://svn.apache.org/viewvc?rev=1078168&view=rev
Log:
Merging changes r1035508:r1035718 from trunk to federation
Modified:
hadoop/hdfs/branches/HDFS-1052/ (props changed)
hadoop/hdfs/branches/HDFS-1052/CHANGES.txt
hadoop/hdfs/branches/HDFS-1052/build.xml (props changed)
hadoop/hdfs/branches/HDFS-1052/src/c++/libhdfs/ (props changed)
hadoop/hdfs/branches/HDFS-1052/src/contrib/hdfsproxy/ (props changed)
hadoop/hdfs/branches/HDFS-1052/src/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
hadoop/hdfs/branches/HDFS-1052/src/java/ (props changed)
hadoop/hdfs/branches/HDFS-1052/src/java/org/apache/hadoop/hdfs/server/datanode/BlockReceiver.java
hadoop/hdfs/branches/HDFS-1052/src/java/org/apache/hadoop/hdfs/server/datanode/ReplicaInfo.java (props changed)
hadoop/hdfs/branches/HDFS-1052/src/java/org/apache/hadoop/hdfs/tools/DelegationTokenFetcher.java
hadoop/hdfs/branches/HDFS-1052/src/test/hdfs/ (props changed)
hadoop/hdfs/branches/HDFS-1052/src/test/hdfs/org/apache/hadoop/hdfs/MiniDFSCluster.java
hadoop/hdfs/branches/HDFS-1052/src/test/hdfs/org/apache/hadoop/hdfs/TestPipelines.java
hadoop/hdfs/branches/HDFS-1052/src/test/hdfs/org/apache/hadoop/tools/TestDelegationTokenFetcher.java
hadoop/hdfs/branches/HDFS-1052/src/webapps/datanode/ (props changed)
hadoop/hdfs/branches/HDFS-1052/src/webapps/hdfs/ (props changed)
hadoop/hdfs/branches/HDFS-1052/src/webapps/secondary/ (props changed)
Propchange: hadoop/hdfs/branches/HDFS-1052/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Mar 4 22:08:09 2011
@@ -1,4 +1,4 @@
/hadoop/core/branches/branch-0.19/hdfs:713112
/hadoop/hdfs/branches/HDFS-265:796829-820463
/hadoop/hdfs/branches/branch-0.21:820487
-/hadoop/hdfs/trunk:987665-1004788,1026178-1028906,1032470-1033639,1034073,1034082-1034181,1034501-1034544,1034932,1035141,1035143,1035145,1035163,1035386,1035410,1036738,1052823,1060619,1061067,1062020
+/hadoop/hdfs/trunk:987665-1004788,1026178-1028906,1032470-1033639,1034073,1034082-1034181,1034501-1034544,1034932,1035141,1035143,1035145,1035163,1035386,1035410,1035508,1035515,1035552,1035718,1036738,1052823,1060619,1061067,1062020
Modified: hadoop/hdfs/branches/HDFS-1052/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/hdfs/branches/HDFS-1052/CHANGES.txt?rev=1078168&r1=1078167&r2=1078168&view=diff
==============================================================================
--- hadoop/hdfs/branches/HDFS-1052/CHANGES.txt (original)
+++ hadoop/hdfs/branches/HDFS-1052/CHANGES.txt Fri Mar 4 22:08:09 2011
@@ -298,12 +298,16 @@ Release 0.22.0 - Unreleased
HDFS-1500. TestOfflineImageViewer failing on trunk. (Todd Lipcon
via hairong)
+ HDFS-1467. Append pipeline construction not succeeds with more than
+ one replica. (Todd Lipcon via hairong)
+
IMPROVEMENTS
HDFS-1304. Add a new unit test for HftpFileSystem.open(..). (szetszwo)
HDFS-1096. fix for prev. commit. (boryas)
+
HDFS-1096. allow dfsadmin/mradmin refresh of superuser proxy group
mappings (boryas)
@@ -433,6 +437,11 @@ Release 0.22.0 - Unreleased
HDFS-697. Enable asserts for tests by default. (eli)
+ HDFS-1187. Modify fetchdt to allow renewing and canceling token.
+ (Owen O'Malley and Kan Zhang via jghoman)
+
+ HDFS-1387. Update HDFS permissions guide for security. (Todd Lipcon via eli)
+
OPTIMIZATIONS
HDFS-1140. Speedup INode.getPathComponents. (Dmytro Molkov via shv)
@@ -592,6 +601,9 @@ Release 0.22.0 - Unreleased
HDFS-1466. TestFcHdfsSymlink relies on /tmp/test not existing. (eli)
+ HDFS-874. TestHDFSFileContextMainOperations fails on weirdly
+ configured DNS hosts. (Todd Lipcon via eli)
+
Release 0.21.1 - Unreleased
HDFS-1411. Correct backup node startup command in hdfs user guide.
Propchange: hadoop/hdfs/branches/HDFS-1052/build.xml
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Mar 4 22:08:09 2011
@@ -2,4 +2,4 @@
/hadoop/core/trunk/build.xml:779102
/hadoop/hdfs/branches/HDFS-265/build.xml:796829-820463
/hadoop/hdfs/branches/branch-0.21/build.xml:820487
-/hadoop/hdfs/trunk/build.xml:987665-1004788,1026178-1028906,1032470-1033639,1034073,1034082-1034181,1034501-1034544,1034932,1035141,1035143,1035145,1035163,1035386,1035410,1052823,1060619,1061067,1062020
+/hadoop/hdfs/trunk/build.xml:987665-1004788,1026178-1028906,1032470-1033639,1034073,1034082-1034181,1034501-1034544,1034932,1035141,1035143,1035145,1035163,1035386,1035410,1035508,1035515,1035552,1035718,1052823,1060619,1061067,1062020
Propchange: hadoop/hdfs/branches/HDFS-1052/src/c++/libhdfs/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Mar 4 22:08:09 2011
@@ -1,3 +1,3 @@
/hadoop/core/branches/branch-0.19/mapred/src/c++/libhdfs:713112
/hadoop/core/trunk/src/c++/libhdfs:776175-784663
-/hadoop/hdfs/trunk/src/c++/libhdfs:987665-1004788,1026178-1028906,1032470-1033639,1034073,1034082-1034181,1034501-1034544,1034932,1035141,1035143,1035145,1035163,1035386,1035410,1052823,1060619,1061067,1062020
+/hadoop/hdfs/trunk/src/c++/libhdfs:987665-1004788,1026178-1028906,1032470-1033639,1034073,1034082-1034181,1034501-1034544,1034932,1035141,1035143,1035145,1035163,1035386,1035410,1035508,1035515,1035552,1035718,1052823,1060619,1061067,1062020
Propchange: hadoop/hdfs/branches/HDFS-1052/src/contrib/hdfsproxy/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Mar 4 22:08:09 2011
@@ -2,4 +2,4 @@
/hadoop/core/trunk/src/contrib/hdfsproxy:776175-784663
/hadoop/hdfs/branches/HDFS-265/src/contrib/hdfsproxy:796829-820463
/hadoop/hdfs/branches/branch-0.21/src/contrib/hdfsproxy:820487
-/hadoop/hdfs/trunk/src/contrib/hdfsproxy:987665-1004788,1026178-1028906,1032470-1033639,1034073,1034082-1034181,1034501-1034544,1034932,1035141,1035143,1035145,1035163,1035386,1035410,1052823,1060619,1061067,1062020
+/hadoop/hdfs/trunk/src/contrib/hdfsproxy:987665-1004788,1026178-1028906,1032470-1033639,1034073,1034082-1034181,1034501-1034544,1034932,1035141,1035143,1035145,1035163,1035386,1035410,1035508,1035515,1035552,1035718,1052823,1060619,1061067,1062020
Modified: hadoop/hdfs/branches/HDFS-1052/src/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
URL: http://svn.apache.org/viewvc/hadoop/hdfs/branches/HDFS-1052/src/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml?rev=1078168&r1=1078167&r2=1078168&view=diff
==============================================================================
--- hadoop/hdfs/branches/HDFS-1052/src/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml (original)
+++ hadoop/hdfs/branches/HDFS-1052/src/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml Fri Mar 4 22:08:09 2011
@@ -71,26 +71,41 @@
User Identity
-In this release of Hadoop the identity of a client process is just whatever the host operating system says it is. For Unix-like systems,
+As of Hadoop 0.22, Hadoop supports two different modes of operation to determine the user's identity, specified by the
+hadoop.security.authentication property:
-
-
- The user name is the equivalent of `whoami`;
-
-
- The group list is the equivalent of `bash -c groups`.
-
-
+
+
simple
+
In this mode of operation, the identity of a client process is determined by the host operating system. On Unix-like systems,
+ the user name is the equivalent of `whoami`.
+
kerberos
+
In Kerberized operation, the identity of a client process is determined by its Kerberos credentials. For example, in a
+ Kerberized environment, a user may use the kinit utility to obtain a Kerberos ticket-granting-ticket (TGT) and
+ use klist to determine their current principal. When mapping a Kerberos principal to an HDFS username, all components except for the primary are dropped. For example, a principal todd/foobar@CORP.COMPANY.COM will act as the simple username todd on HDFS.
+
+
+
+Regardless of the mode of operation, the user identity mechanism is extrinsic to HDFS itself.
+There is no provision within HDFS for creating user identities, establishing groups, or processing user credentials.
+
+
+Group Mapping
+
+Once a username has been determined as described above, the list of groups is determined by a group mapping
+service, configured by the hadoop.security.group.mapping property.
+The default implementation, org.apache.hadoop.security.ShellBasedUnixGroupsMapping, will shell out
+to the Unix bash -c groups command to resolve a list of groups for a user.
+
-In the future there will be other ways of establishing user identity (think Kerberos, LDAP, and others). There is no expectation that
-this first method is secure in protecting one user from impersonating another. This user identity mechanism combined with the
-permissions model allows a cooperative community to share file system resources in an organized fashion.
+For HDFS, the mapping of users to groups is performed on the NameNode. Thus, the host system configuration of
+the NameNode determines the group mappings for the users.
-In any case, the user identity mechanism is extrinsic to HDFS itself. There is no provision within HDFS for creating user identities,
-establishing groups, or processing user credentials.
+Note that HDFS stores the user and group of a file or directory as strings; there is no conversion from user and
+group identity numbers as is conventional in Unix.
+
Understanding the Implementation
@@ -104,14 +119,6 @@ A second request made to find additional
that already knows the blocks of the file. With the addition of permissions, a client's access to a file may be withdrawn between
requests. Again, changing permissions does not revoke the access of a client that already knows the file's blocks.
-
-The MapReduce framework delegates the user identity by passing strings without special concern for confidentiality. The owner
-and group of a file or directory are stored as strings; there is no conversion from user and group identity numbers as is conventional in Unix.
-
-
-The permissions features of this release did not require any changes to the behavior of data nodes. Blocks on the data nodes
-do not have any of the Hadoop ownership or permissions attributes associated with them.
-
Changes to the File System API
@@ -198,19 +205,12 @@ permission parameter P) is used
The Web Server
-The identity of the web server is a configuration parameter. That is, the name node has no notion of the identity of
+By default, the identity of the web server is a configuration parameter. That is, the name node has no notion of the identity of
the real user, but the web server behaves as if it has the identity (user and groups) of a user chosen
-by the administrator. Unless the chosen identity matches the super-user, parts of the name space may be invisible
+by the administrator. Unless the chosen identity matches the super-user, parts of the name space may be inaccessible
to the web server.
-On-line Upgrade
-
-If a cluster starts with a version 0.15 data set (fsimage), all files and directories will have
-owner O, group G, and mode M, where O and G
-are the user and group identity of the super-user, and M is a configuration parameter.