hadoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Frain <ivan.fr...@gmail.com>
Subject Re: Secure hadoop and group permission on HDFS
Date Tue, 09 Oct 2012 06:46:23 GMT
Hi Koert,

Another option is to use the LdapGroupsMapping which picks up the group
membership from a LDAP directory.
You can find more details on the JIRA issue:
Up to now, it is available for ActiveDirectory and released in
hadoop-2.0.0-alpha and next releases.
You can easily apply the patch on a 0.23.1, I already did that and it works

OpenLdap with POSIX groups is not yet supported by this patch, it was
tailored for ActiveDirectory.


2012/10/9 Harsh J <harsh@cloudera.com>

> Koert,
> If you use the org.apache.hadoop.security.ShellBasedUnixGroupsMapping
> class (via hadoop.security.group.mapping), then yes the NameNode's
> view of the local unix groups (and the primary group) of the user is
> the final say on what groups the user belongs to. This can be relied
> on - but note that HDFS uses BSD style semantics when it comes to
> groups and when creating directories/files, the parent directory
> groups are inherited automatically unless altered after creation.
> On Tue, Oct 9, 2012 at 2:30 AM, Koert Kuipers <koert@tresata.com> wrote:
> > With secure hadoop the user name is authenticated by the kerberos server.
> > But what about the groups that the user is a member of? Are these simple
> the
> > groups that the user is a member of on the namenode machine?
> > Is it viable to manage access to files on HDFS using groups on a secure
> > hadoop cluster?
> >
> --
> Harsh J

Ivan Frain
11, route de Grenade
31530 Saint-Paul-sur-Save
mobile: +33 (0)6 52 52 47 07

View raw message