[
https://issues.apache.org/jira/browse/HDFS-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079698#comment-14079698
]
Jeff Hansen commented on HDFS-6717:
-----------------------------------
Looks good!
By the way, when I said I was having trouble concentrating, that had more to do
with the state of my mind -- I may have been tired, hungover, in the middle of
a beer... cough...
One comment I will make -- I found the name of the configuration property
hadoop.proxyuser.*.groups to be somewhat misleading. There was a moment when I
thought, "great, now I have to create a unix group and add my user to it." Then
I realized "groups" had nothing to do with unix groups, it was just a bit of a
misnomer and really meant users.
Anyway, thanks for all the help -- it's been a learning experience!
> Jira HDFS-5804 breaks default nfs-gateway behavior for unsecured config
> -----------------------------------------------------------------------
>
> Key: HDFS-6717
> URL: https://issues.apache.org/jira/browse/HDFS-6717
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: nfs
> Affects Versions: 2.4.0
> Reporter: Jeff Hansen
> Assignee: Brandon Li
> Priority: Minor
> Fix For: 2.5.0
>
> Attachments: HDFS-6717.001.patch, HDFS-6717.more-change.patch,
> HdfsNfsGateway.html
>
>
> I believe this is just a matter of needing to update documentation. As a
> result of https://issues.apache.org/jira/browse/HDFS-5804, the secure and
> unsecure code paths appear to have been merged -- this is great because it
> means less code to test. However, it means that the default unsecure behavior
> requires additional configuration that needs to be documented.
> I'm not the first to have trouble following the instructions documented in
> http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html
> I kept hitting a RemoteException with the message that hdfs user cannot
> impersonate root -- apparently under the old code, there was no impersonation
> going on, so the nfs3 service could and should be run under the same user id
> that runs hadoop (I assumed this meant the user id "hdfs"). However, with the
> new unified code path, that would require hdfs to be able to impersonate root
> (because root is always the local user that mounts a drive). The comments in
> jira hdfs-5804 seem to indicate nobody has a problem with requiring the
> nfsserver user to impersonate root -- if that means it's necessary for the
> configuration to include root as a user nfsserver can impersonate, that
> should be included in the setup instructions.
> More to the point, it appears to be absolutely necessary now to provision a
> user named "nfsserver" in order to be able to give that nfsserver ability to
> impersonate other users. Alternatively I think we'd need to configure hdfs to
> be able to proxy other users. I'm not really sure what the best practice
> should be, but it should be documented since it wasn't needed in the past.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
