hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kihwal Lee (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-12372) Document the impact of HDFS-11069 (Tighten the authorization of datanode RPC)
Date Wed, 30 Aug 2017 17:02:00 GMT

    [ https://issues.apache.org/jira/browse/HDFS-12372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16147612#comment-16147612
] 

Kihwal Lee commented on HDFS-12372:
-----------------------------------

As you can see from the code, issuing command as a hdfs admin user still works. The change
only affects the Datanode user.

{code:java}
  /** Check whether the current user is in the superuser group. */
  private void checkSuperuserPrivilege() throws IOException, AccessControlException {
...
    // Is this by the DN user itself?
    assert dnUserName != null;
    if (callerUgi.getUserName().equals(dnUserName)) {
      return;
    }

    // Is the user a member of the super group?
    List<String> groups = Arrays.asList(callerUgi.getGroupNames());
    if (groups.contains(supergroup)) {
      return;
    }
    // Not a superuser.
    throw new AccessControlException();
  }
{code}

> Document the impact of HDFS-11069 (Tighten the authorization of datanode RPC)
> -----------------------------------------------------------------------------
>
>                 Key: HDFS-12372
>                 URL: https://issues.apache.org/jira/browse/HDFS-12372
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>    Affects Versions: 2.8.0, 2.9.0, 2.7.4, 3.0.0-alpha2
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>
> The idea of HDFS-11069 is good. But it seems to cause confusion for administrators when
they issue commands like hdfs diskbalancer, or hdfs dfsadmin, because this change of behavior
is not documented properly.
> I suggest we document a recommended way to kinit (e.g. kinit as hdfs/host1@host1.EXAMPLE.COM,
rather than hdfs@EXAMPLE.COM), as well as documenting a notice for running privileged DataNode
commands in a Kerberized clusters



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message