hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HDFS-11400) Automatic HDFS Home Directory Creation
Date Fri, 10 Feb 2017 15:21:41 GMT

    [ https://issues.apache.org/jira/browse/HDFS-11400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15861405#comment-15861405
] 

Allen Wittenauer edited comment on HDFS-11400 at 2/10/17 3:21 PM:
------------------------------------------------------------------

bq. Given NN resolves users from OS / Kerberos, this would mean the OS / Kerberos systems
have already been compromised to have had fake users added?

No, it doesn't. If I access a home dir as a privileged user (e.g., hdfs) then I'm not sure
why there would be a validation made against an individual user's external existence.

bq. How about these ideas?

Honestly?  It sounds like a lot of work for very little reward.  Why is creating a directory
such a heavy burden?  

Also, doesn't the NN plugin system already give one a way to implement this feature without
clogging up the rest of the code base?

bq. it seems silly in retrospect for admins to keep writing scripts to do this for every client
when this could be solved once and for all via NN logic

Whoever is building this on a per client basis\-\-if I'm interpreting that statement correctly\-\-probably
is an extremely inexperienced admin.

Take a step back from Hadoop and it becomes obvious: there are bits that have to get done
outside the NN anyway.  That usually includes account validation, group setup, etc, etc. 
Removing the hdfs dir creation doesn't really save a whole lot of time/effort (one or two
commands).  Instead, it adds a whole lot of burden by having to configure all of these other
controls.


was (Author: aw):
bq. Given NN resolves users from OS / Kerberos, this would mean the OS / Kerberos systems
have already been compromised to have had fake users added?

No, it doesn't. If I access a home dir as a privileged user (e.g., hdfs) then I'm not sure
why there would be a validation made against an individual user's external existence.

bq. How about these ideas?

Honestly?  It sounds like a lot of work for very little reward.  Why is creating a directory
such a heavy burden?  

Also, doesn't the NN plugin system already give one a way to implement this feature without
clogging up the rest of the code base?

bq. it seems silly in retrospect for admins to keep writing scripts to do this for every client
when this could be solved once and for all via NN logic

Whoever is building this on a per client basis--if I'm interpreting that statement correctly--probably
is an extremely inexperienced admin.

Take a step back from Hadoop and it becomes obvious: there are bits that have to get done
outside the NN anyway.  That usually includes account validation, group setup, etc, etc. 
Removing the hdfs dir creation doesn't really save a whole lot of time/effort (one or two
commands).  Instead, it adds a whole lot of burden by having to configure all of these other
controls.

> Automatic HDFS Home Directory Creation
> --------------------------------------
>
>                 Key: HDFS-11400
>                 URL: https://issues.apache.org/jira/browse/HDFS-11400
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: hdfs, namenode
>    Affects Versions: 2.7.1
>         Environment: HDP 2.4.2
>            Reporter: Hari Sekhon
>
> Feature Request to add automatic home directory creation for HDFS users when they are
first resolved by the NameNode if their home directory does not already exist, using configurable
umask defaulting to 027.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message