Return-Path: X-Original-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1C2ADDE93 for ; Tue, 9 Oct 2012 06:47:01 +0000 (UTC) Received: (qmail 97869 invoked by uid 500); 9 Oct 2012 06:46:56 -0000 Delivered-To: apmail-hadoop-hdfs-user-archive@hadoop.apache.org Received: (qmail 97346 invoked by uid 500); 9 Oct 2012 06:46:50 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 97308 invoked by uid 99); 9 Oct 2012 06:46:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Oct 2012 06:46:49 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ivan.frain@gmail.com designates 209.85.212.182 as permitted sender) Received: from [209.85.212.182] (HELO mail-wi0-f182.google.com) (209.85.212.182) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Oct 2012 06:46:45 +0000 Received: by mail-wi0-f182.google.com with SMTP id hm2so3621948wib.11 for ; Mon, 08 Oct 2012 23:46:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=rwMyp5xnFCjopZtOBlEaJ8LSnFxJGl2wlViC1dZoLMw=; b=zjUIz2OjiIAhGzi5vNFlWg1EUTwmDuw6aCvkBF79vvXJkq0pFfJsrM92vRGQuRIXV1 6NNtdPtKU9tBmtOhmo9VLgd3i57KwvS0onteBJ99OEoQIkoxf8yEPvnbLp4QebKJ45A1 jJ7wk4nUAjHlQdTc0UHLduOVzx1bLaFhkiVWx9vV7uKH+elh/WtVKmRQPPp06OqE4kLc vstGeWBqb6+MBqt9ruUkKWbZAyYFyyOuiw4FY9N00BHW1xBBgQrQCjzldx0sUpiSboXM xn+9SWzLSAus0Okhk3pdV9Er9QyggoFL33vajXM+xpz2vzJaAuioSRcMv8/p/WvYaItD 1ffA== MIME-Version: 1.0 Received: by 10.180.94.73 with SMTP id da9mr2063493wib.19.1349765183781; Mon, 08 Oct 2012 23:46:23 -0700 (PDT) Received: by 10.195.12.193 with HTTP; Mon, 8 Oct 2012 23:46:23 -0700 (PDT) In-Reply-To: References: Date: Tue, 9 Oct 2012 08:46:23 +0200 Message-ID: Subject: Re: Secure hadoop and group permission on HDFS From: Ivan Frain To: user@hadoop.apache.org Content-Type: multipart/alternative; boundary=f46d04426a444f398804cb9ab2c4 X-Virus-Checked: Checked by ClamAV on apache.org --f46d04426a444f398804cb9ab2c4 Content-Type: text/plain; charset=ISO-8859-1 Hi Koert, Another option is to use the LdapGroupsMapping which picks up the group membership from a LDAP directory. You can find more details on the JIRA issue: https://issues.apache.org/jira/browse/HADOOP-8121 Up to now, it is available for ActiveDirectory and released in hadoop-2.0.0-alpha and next releases. You can easily apply the patch on a 0.23.1, I already did that and it works well. OpenLdap with POSIX groups is not yet supported by this patch, it was tailored for ActiveDirectory. BR, Ivan 2012/10/9 Harsh J > Koert, > > If you use the org.apache.hadoop.security.ShellBasedUnixGroupsMapping > class (via hadoop.security.group.mapping), then yes the NameNode's > view of the local unix groups (and the primary group) of the user is > the final say on what groups the user belongs to. This can be relied > on - but note that HDFS uses BSD style semantics when it comes to > groups and when creating directories/files, the parent directory > groups are inherited automatically unless altered after creation. > > On Tue, Oct 9, 2012 at 2:30 AM, Koert Kuipers wrote: > > With secure hadoop the user name is authenticated by the kerberos server. > > But what about the groups that the user is a member of? Are these simple > the > > groups that the user is a member of on the namenode machine? > > Is it viable to manage access to files on HDFS using groups on a secure > > hadoop cluster? > > > > > > -- > Harsh J > -- Ivan Frain 11, route de Grenade 31530 Saint-Paul-sur-Save mobile: +33 (0)6 52 52 47 07 --f46d04426a444f398804cb9ab2c4 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi Koert,

Another option is to use the LdapGroupsM= apping which picks up the group membership from a LDAP directory.
You c= an find more details on the JIRA issue:=A0https://issues.apache.org/jira/browse/HADOOP-8= 121
Up to now, it is available for ActiveDirectory and released in hadoop-= 2.0.0-alpha and next releases.
You can easily apply the patch on = a 0.23.1, I already did that and it works well.

OpenLdap with POSIX groups is not yet supported by this patch, it was tailo= red for ActiveDirectory.


BR,
<= div>Ivan


2012/10/9 Harsh J <= harsh@cloudera.com>
Koert,

If you use the org.apache.hadoop.security.ShellBasedUnixGroupsMapping
class (via hadoop.security.group.mapping), then yes the NameNode's
view of the local unix groups (and the primary group) of the user is
the final say on what groups the user belongs to. This can be relied
on - but note that HDFS uses BSD style semantics when it comes to
groups and when creating directories/files, the parent directory
groups are inherited automatically unless altered after creation.

On Tue, Oct 9, 2012 at 2:30 AM, Koert Kuipers <koert@tresata.com> wrote:
> With secure hadoop the user name is authenticated by the kerberos serv= er.
> But what about the groups that the user is a member of? Are these simp= le the
> groups that the user is a member of on the namenode machine?
> Is it viable to manage access to files on HDFS using groups on a secur= e
> hadoop cluster?
>



--
Harsh J



-- Ivan Frain
11, route de Grenade
31530 Saint-Paul-sur-Save
mobile: +33 (0)6 52 52 47 07



--f46d04426a444f398804cb9ab2c4--