Return-Path: X-Original-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8E6E2DC86 for ; Tue, 9 Oct 2012 02:35:40 +0000 (UTC) Received: (qmail 79072 invoked by uid 500); 9 Oct 2012 02:35:35 -0000 Delivered-To: apmail-hadoop-hdfs-user-archive@hadoop.apache.org Received: (qmail 78942 invoked by uid 500); 9 Oct 2012 02:35:35 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 78933 invoked by uid 99); 9 Oct 2012 02:35:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Oct 2012 02:35:35 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of harsh@cloudera.com designates 209.85.214.176 as permitted sender) Received: from [209.85.214.176] (HELO mail-ob0-f176.google.com) (209.85.214.176) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Oct 2012 02:35:29 +0000 Received: by mail-ob0-f176.google.com with SMTP id x4so5367687obh.35 for ; Mon, 08 Oct 2012 19:35:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:x-gm-message-state; bh=3t1UFztmgLQpUAf7X/mi6128Va3mXFyOIian2eqd4KA=; b=BVouMP/+kGacTa+m14zC39mejBkh7yl3ljSPy7toMMT89ymujCXLu3rwnDF5/TTlh0 DeA///VqYU/N+WOiBuoxKkN2yRtsqC5a+k0VMQKdz9VRfqF5WLbmvviKSoVPxClbBYzL Lpg3FucTZES0l0rXSz3UmzuiuuS6NS8sAAe2QVBoAgLoX7ZWZNTsi3rP/Cu0makQBbGG LO5lhjaZscMgtNYZ77Hi2QNtSoUcc5lA1lUQ0oEx0AtfdrU2zVcjQ6dbuKCwuqCQAONl veIHPApj0lWHQM5zRJSLPTaMLRhO90cUPTGJXKakzhx/0zhwz9MTL6ZitHlgf3ynRYiG 192A== Received: by 10.60.22.104 with SMTP id c8mr14743974oef.2.1349750108088; Mon, 08 Oct 2012 19:35:08 -0700 (PDT) MIME-Version: 1.0 Received: by 10.76.76.227 with HTTP; Mon, 8 Oct 2012 19:34:47 -0700 (PDT) In-Reply-To: References: From: Harsh J Date: Tue, 9 Oct 2012 08:04:47 +0530 Message-ID: Subject: Re: Secure hadoop and group permission on HDFS To: user@hadoop.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQlzW24eBhrq6cWLooRDqRaQVIqVtukLEepODPoOJcw2ugIhStalDS7Oqu8nhtbwj+mhWwbW Koert, If you use the org.apache.hadoop.security.ShellBasedUnixGroupsMapping class (via hadoop.security.group.mapping), then yes the NameNode's view of the local unix groups (and the primary group) of the user is the final say on what groups the user belongs to. This can be relied on - but note that HDFS uses BSD style semantics when it comes to groups and when creating directories/files, the parent directory groups are inherited automatically unless altered after creation. On Tue, Oct 9, 2012 at 2:30 AM, Koert Kuipers wrote: > With secure hadoop the user name is authenticated by the kerberos server. > But what about the groups that the user is a member of? Are these simple the > groups that the user is a member of on the namenode machine? > Is it viable to manage access to files on HDFS using groups on a secure > hadoop cluster? > -- Harsh J