[
https://issues.apache.org/jira/browse/HDFS-12372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16147612#comment-16147612
]
Kihwal Lee commented on HDFS-12372:
-----------------------------------
As you can see from the code, issuing command as a hdfs admin user still works.
The change only affects the Datanode user.
{code:java}
/** Check whether the current user is in the superuser group. */
private void checkSuperuserPrivilege() throws IOException,
AccessControlException {
...
// Is this by the DN user itself?
assert dnUserName != null;
if (callerUgi.getUserName().equals(dnUserName)) {
return;
}
// Is the user a member of the super group?
List<String> groups = Arrays.asList(callerUgi.getGroupNames());
if (groups.contains(supergroup)) {
return;
}
// Not a superuser.
throw new AccessControlException();
}
{code}
> Document the impact of HDFS-11069 (Tighten the authorization of datanode RPC)
> -----------------------------------------------------------------------------
>
> Key: HDFS-12372
> URL: https://issues.apache.org/jira/browse/HDFS-12372
> Project: Hadoop HDFS
> Issue Type: Improvement
> Affects Versions: 2.8.0, 2.9.0, 2.7.4, 3.0.0-alpha2
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
>
> The idea of HDFS-11069 is good. But it seems to cause confusion for
> administrators when they issue commands like hdfs diskbalancer, or hdfs
> dfsadmin, because this change of behavior is not documented properly.
> I suggest we document a recommended way to kinit (e.g. kinit as
> hdfs/ho...@host1.example.com, rather than h...@example.com), as well as
> documenting a notice for running privileged DataNode commands in a Kerberized
> clusters
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
