hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MAPREDUCE-5571) allow access to the DFS job submission + staging directory by members of the job submitters group
Date Mon, 07 Oct 2013 23:14:43 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-5571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13788689#comment-13788689
] 

Hadoop QA commented on MAPREDUCE-5571:
--------------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12606593/HADOOP-1.2-PERM.patch
  against trunk revision .

    {color:red}-1 patch{color}.  The patch command could not apply the patch.

Console output: https://builds.apache.org/job/PreCommit-MAPREDUCE-Build/4101//console

This message is automatically generated.

> allow access to the DFS job submission + staging directory by members of the job submitters
group
> -------------------------------------------------------------------------------------------------
>
>                 Key: MAPREDUCE-5571
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-5571
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>    Affects Versions: 1.2.1, 2.0.5-alpha
>         Environment: linux
>            Reporter: bradley childs
>         Attachments: HADOOP-1.2-PERM.patch, hadoop-2.0.5-perm.patch
>
>
> The job submission and staging directories are explicitly given 0700 permissions restricting
access of job submission files only to the submitter UID. this prevents hadoop daemon services
running under different UIDs from reading the job submitters files.  it is common unix practice
to run daemon services under their own UIDs for security purposes.
> This bug can be demonstrated by creating a single node configuration, which runs LocalFileSystem
and not HDFS.  Create two users and add them to a 'hadoop' group.  Start the hadoop services
with one of the users, then submit a map/reduce job with the other user (or run one of the
examples).  Job submission ultimately fails and the M/R job doesn't execute.
> The fix is simple enough and secure-- change the staging directory permissions to 2750.
 i have demonstrated the patch against 2.0.5 (along  with another fix for an incorrect decimal->octal
conversion) and will attach the patch.
> this bug is present since very early versions.  i would like to fix it at the lowest
level as  it's a simple file mode change in all versions, and localized to one file.  is this
possible?



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message