[
https://issues.apache.org/jira/browse/HADOOP-4491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12735669#action_12735669
]
Hemanth Yamijala commented on HADOOP-4491:
------------------------------------------
Owen and I had an offline discussion about this, and we felt another approach
to try out was to see if we could have the directories and files owned by the
user and group-owned by the tasktracker. The group ownership should be sticky
so permissions are inherited. The permissions must apply for all the relevant
components in the paths.
So, $jobid and $attemptid in the examples above would be owned by the user,
group-owned by mapred, and have permissions like 570 or similar.
This might also remove the need to have parallel directory structures.
The rationale for this approach follows from the fact that for maximum security
the task-controller executable needs to be group owned by the tasktracker (to
prevent other users from launching it). Hence, this almost means that the
tasktracker user is a special user in the system that is required for secure
installations. And it can be setup such that the user is in a separate group on
its own.
Thoughts ?
> Per-job local data on the TaskTracker node should have right access-control
> ---------------------------------------------------------------------------
>
> Key: HADOOP-4491
> URL: https://issues.apache.org/jira/browse/HADOOP-4491
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Arun C Murthy
> Assignee: Vinod K V
> Attachments: HADOOP-4491-20090623-common.1.txt,
> HADOOP-4491-20090623-mapred.1.txt, HADOOP-4491-20090703-common.1.txt,
> HADOOP-4491-20090703-common.txt, HADOOP-4491-20090703.1.txt,
> HADOOP-4491-20090703.txt, HADOOP-4491-20090707-common.txt,
> HADOOP-4491-20090707.txt, HADOOP-4491-20090716-mapred.txt
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
