[ https://issues.apache.org/jira/browse/HDFS-12372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16147612#comment-16147612 ]
Kihwal Lee commented on HDFS-12372: ----------------------------------- As you can see from the code, issuing command as a hdfs admin user still works. The change only affects the Datanode user. {code:java} /** Check whether the current user is in the superuser group. */ private void checkSuperuserPrivilege() throws IOException, AccessControlException { ... // Is this by the DN user itself? assert dnUserName != null; if (callerUgi.getUserName().equals(dnUserName)) { return; } // Is the user a member of the super group? List<String> groups = Arrays.asList(callerUgi.getGroupNames()); if (groups.contains(supergroup)) { return; } // Not a superuser. throw new AccessControlException(); } {code} > Document the impact of HDFS-11069 (Tighten the authorization of datanode RPC) > ----------------------------------------------------------------------------- > > Key: HDFS-12372 > URL: https://issues.apache.org/jira/browse/HDFS-12372 > Project: Hadoop HDFS > Issue Type: Improvement > Affects Versions: 2.8.0, 2.9.0, 2.7.4, 3.0.0-alpha2 > Reporter: Wei-Chiu Chuang > Assignee: Wei-Chiu Chuang > > The idea of HDFS-11069 is good. But it seems to cause confusion for > administrators when they issue commands like hdfs diskbalancer, or hdfs > dfsadmin, because this change of behavior is not documented properly. > I suggest we document a recommended way to kinit (e.g. kinit as > hdfs/ho...@host1.example.com, rather than h...@example.com), as well as > documenting a notice for running privileged DataNode commands in a Kerberized > clusters -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org