Return-Path: X-Original-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9126C18C2D for ; Wed, 29 Jul 2015 14:51:52 +0000 (UTC) Received: (qmail 97498 invoked by uid 500); 29 Jul 2015 14:51:42 -0000 Delivered-To: apmail-hadoop-hdfs-user-archive@hadoop.apache.org Received: (qmail 97363 invoked by uid 500); 29 Jul 2015 14:51:42 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 97135 invoked by uid 99); 29 Jul 2015 14:51:41 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Jul 2015 14:51:41 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 56D0CD88E4 for ; Wed, 29 Jul 2015 14:51:41 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.999 X-Spam-Level: ** X-Spam-Status: No, score=2.999 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=3, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id HkLGr58XSRoa for ; Wed, 29 Jul 2015 14:51:40 +0000 (UTC) Received: from mx0b-0019e301.pphosted.com (mx0b-0019e301.pphosted.com [67.231.157.240]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 760F1203A3 for ; Wed, 29 Jul 2015 14:51:39 +0000 (UTC) Received: from pps.filterd (m0074439.ppops.net [127.0.0.1]) by mx0b-0019e301.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id t6TElxvX014518 for ; Wed, 29 Jul 2015 09:50:40 -0500 Received: from chgpcashub01wv.bcbsa.com ([69.25.144.37]) by mx0b-0019e301.pphosted.com with ESMTP id 1vvgnub8xp-1 for ; Wed, 29 Jul 2015 09:50:40 -0500 Received: from chgpmaldag01wv.bcbsa.com ([fe80::bd5d:acf3:1e17:c76e]) by chgpcashub01wv.bcbsa.com ([::1]) with mapi id 14.03.0235.001; Wed, 29 Jul 2015 09:50:39 -0500 From: "Gangavarapu, Venkata" To: "user@hadoop.apache.org" Subject: RE: Restric hdfs user access - security.client.protocol.acl Thread-Topic: Restric hdfs user access - security.client.protocol.acl Thread-Index: AdDI4yT5BHxDi/KtRW2movA5gPw3sABKrkdA Date: Wed, 29 Jul 2015 14:50:38 +0000 Message-ID: <2125876D8382E34C9258B5B906E4EF5C324045E2@chgpmaldag01wv.bcbsa.com> References: <2125876D8382E34C9258B5B906E4EF5C324041B8@chgpmaldag01wv.bcbsa.com> In-Reply-To: <2125876D8382E34C9258B5B906E4EF5C324041B8@chgpmaldag01wv.bcbsa.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.100.240.102] Content-Type: multipart/alternative; boundary="_000_2125876D8382E34C9258B5B906E4EF5C324045E2chgpmaldag01wvb_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2015-07-29_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1506180000 definitions=main-1507290238 --_000_2125876D8382E34C9258B5B906E4EF5C324045E2chgpmaldag01wvb_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi folks, Any suggestion for my below issue? Thanks, Venkat From: Gangavarapu, Venkata Sent: Monday, July 27, 2015 10:18 PM To: user@hadoop.apache.org Subject: Restric hdfs user access - security.client.protocol.acl Hi, I am tryin to restrict hdfs user access to read/modify hdfs file system. As= oart of that I have set below values. security.client.protocol.acl: yarn,mapred hdpdhdfs dfs.cluster.administrators : hdpdadmngrp hdpdhdfsgrp: user1, admin hdpdadmngrp: hdfs, admin >From the above settings, I want to achieve my goal of restricting hdfs user= access to file system but want hdfs user to perform admin actions such as = hdfs dfs dfsadmin/hdadmin. But I am seeing below error when I try to run hdfs dfsadmin -safemode get [hdfs@nn ~]$ hdfs dfsadmin -safemode get safemode: User hdfs@EXAMPLE.COM (auth:KERBEROS) is= not authorized for protocol interface org.apache.hadoop.hdfs.protocol.Clie= ntProtocol, expected client Kerberos principal is null If I include hdfs user under security.client.protocol.acl the error is gone= but hdfs user can read/write to hdfs file system. Please help me out with how to restrict hdfs user access to file system sti= ll can perform administrative actions. Thanks, Venkat --_000_2125876D8382E34C9258B5B906E4EF5C324045E2chgpmaldag01wvb_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi folks,

 

Any suggestion for my = below issue?

 

Thanks,

Venkat

 

From: Gangavar= apu, Venkata
Sent: Monday, July 27, 2015 10:18 PM
To: user@hadoop.apache.org
Subject: Restric hdfs user access - security.client.protocol.acl

 

Hi,

 

I am tryin to restr= ict hdfs user access to read/modify hdfs file system. As oart of that I hav= e set below values.

 

security.client.= protocol.acl: yarn,mapred hdpdh= dfs

dfs.cluster.administrators : hdpdadmngrp

 

hdpdhdfsgrp: user1, admin

hdpdadmngrp: hdfs, admin

 

From the above settings, I want t= o achieve my goal of restricting hdfs user access to file system but want h= dfs user to perform admin actions such as hdfs dfs dfsadmin/hdadmin.

 

But I am seeing below error when = I try to run hdfs dfsadmin –safemode get

 

[hdfs@nn ~]$ hdfs dfsadmin -safem= ode get

safemode: User hdfs@EXAMPLE.COM (auth:KERBEROS) is= not authorized for protocol interface org.apache.hadoop.hdfs.protocol.Clie= ntProtocol, expected client Kerberos principal is null

 

 

If I include hdfs user under security.client.protocol.acl the er= ror is gone but hdfs user can read/write to hdfs file system.

 

Please help me out = with how to restrict hdfs user access to file system still can perform admi= nistrative actions.

 

Thanks,<= /span>

Venkat

--_000_2125876D8382E34C9258B5B906E4EF5C324045E2chgpmaldag01wvb_--