hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Hansen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6717) Jira HDFS-5804 breaks default nfs-gateway behavior for unsecured config
Date Mon, 28 Jul 2014 21:23:40 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14076902#comment-14076902

Jeff Hansen commented on HDFS-6717:

Sorry I didn't comment on this before -- I guess I still don't see how the updates to the
documentation would fix the "nfsserver cannot impersonate root" remote exception I described
above (hdfs was the user I was running nfsserver as at the time when I got the exception).

My fix was to allow nfsserver to impersonate anybody -- I set the proxy users to star (*)
or wildcard so that nfsserver was allowed to impersonate anybody including root. It kind of
seems the documentation needs to say that you should explicitly add root to the proxy users
list for the nfsserver person. Is there a better way to get around this? If so, I'm missing
it if it's already been spelled out in the documentation.

The reason nfsserver needs to impersonate root is because most users can't run the unix mount
command -- even if you add it to the fstab file and allow users to mount an nfs mount, the
user can run the mount command, but the service still mounts the directory as root. If there's
a better way to mount the directory short of being root, it's not clear to me from the documentation.


> Jira HDFS-5804 breaks default nfs-gateway behavior for unsecured config
> -----------------------------------------------------------------------
>                 Key: HDFS-6717
>                 URL: https://issues.apache.org/jira/browse/HDFS-6717
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: nfs
>    Affects Versions: 2.4.0
>            Reporter: Jeff Hansen
>            Assignee: Brandon Li
>            Priority: Minor
>             Fix For: 2.5.0
>         Attachments: HDFS-6717.001.patch, HdfsNfsGateway.html
> I believe this is just a matter of needing to update documentation. As a result of https://issues.apache.org/jira/browse/HDFS-5804,
the secure and unsecure code paths appear to have been merged -- this is great because it
means less code to test. However, it means that the default unsecure behavior requires additional
configuration that needs to be documented. 
> I'm not the first to have trouble following the instructions documented in http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html
> I kept hitting a RemoteException with the message that hdfs user cannot impersonate root
-- apparently under the old code, there was no impersonation going on, so the nfs3 service
could and should be run under the same user id that runs hadoop (I assumed this meant the
user id "hdfs"). However, with the new unified code path, that would require hdfs to be able
to impersonate root (because root is always the local user that mounts a drive). The comments
in jira hdfs-5804 seem to indicate nobody has a problem with requiring the nfsserver user
to impersonate root -- if that means it's necessary for the configuration to include root
as a user nfsserver can impersonate, that should be included in the setup instructions.
> More to the point, it appears to be absolutely necessary now to provision a user named
"nfsserver" in order to be able to give that nfsserver ability to impersonate other users.
Alternatively I think we'd need to configure hdfs to be able to proxy other users. I'm not
really sure what the best practice should be, but it should be documented since it wasn't
needed in the past.

This message was sent by Atlassian JIRA

View raw message