[
https://issues.apache.org/jira/browse/HADOOP-1873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546425
]
Doug Cutting commented on HADOOP-1873:
--------------------------------------
> Most of dfs users are also map/reduce users. So using jobtracker/tasktracker
> group is almost equivalent to world-wide readable.
I don't follow this. We should have a group called something like
"mapred-daemon" that most users do not belong to but that the user running the
mapred daemons does belong to. That group should be able to read the submitted
job files. Won't that work?
> All the groups and user names are fetched from unix. So it is quite a burden
> to create a jobtracker/tasktracker group for every mapreduce user in Unix.
We only need a single group. If adding a new group for this is impractical
then we could use the standard unix group named "daemon", and run all daemons
as "daemon". We could change our launch scripts to use 'sudo -u daemon'. The
default user and group could be "daemon", optionally overridden by an
environment variable in conf/hadoop-env.sh.
> User permissions for Map/Reduce
> -------------------------------
>
> Key: HADOOP-1873
> URL: https://issues.apache.org/jira/browse/HADOOP-1873
> Project: Hadoop
> Issue Type: Improvement
> Reporter: Raghu Angadi
> Assignee: Hairong Kuang
>
> HADOOP-1298 and HADOOP-1701 add permissions and pluggable security for DFS
> files and DFS accesses. Same users permission should work for Map/Reduce jobs
> as well.
> User persmission should propegate from client to map/reduce tasks and all the
> file operations should be subject to user permissions. This is transparent to
> the user (i.e. no changes to user code should be required).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
