[jira] [Updated] (HDFS-6717) Jira HDFS-5804 breaks default nfs-gateway behavior for unsecured config

[Brandon Li (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HDFS-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brandon Li updated HDFS-6717:
-----------------------------

    Attachment: HDFS-6717.more-change2.patch

> Jira HDFS-5804 breaks default nfs-gateway behavior for unsecured config
> -----------------------------------------------------------------------
>
>                 Key: HDFS-6717
>                 URL: https://issues.apache.org/jira/browse/HDFS-6717
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: nfs
>    Affects Versions: 2.4.0
>            Reporter: Jeff Hansen
>            Assignee: Brandon Li
>            Priority: Minor
>             Fix For: 2.5.0
>
>         Attachments: HDFS-6717.001.patch, HDFS-6717.more-change.patch, 
> HDFS-6717.more-change2.patch, HdfsNfsGateway.html
>
>
> I believe this is just a matter of needing to update documentation. As a 
> result of https://issues.apache.org/jira/browse/HDFS-5804, the secure and 
> unsecure code paths appear to have been merged -- this is great because it 
> means less code to test. However, it means that the default unsecure behavior 
> requires additional configuration that needs to be documented. 
> I'm not the first to have trouble following the instructions documented in 
> http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html
> I kept hitting a RemoteException with the message that hdfs user cannot 
> impersonate root -- apparently under the old code, there was no impersonation 
> going on, so the nfs3 service could and should be run under the same user id 
> that runs hadoop (I assumed this meant the user id "hdfs"). However, with the 
> new unified code path, that would require hdfs to be able to impersonate root 
> (because root is always the local user that mounts a drive). The comments in 
> jira hdfs-5804 seem to indicate nobody has a problem with requiring the 
> nfsserver user to impersonate root -- if that means it's necessary for the 
> configuration to include root as a user nfsserver can impersonate, that 
> should be included in the setup instructions.
> More to the point, it appears to be absolutely necessary now to provision a 
> user named "nfsserver" in order to be able to give that nfsserver ability to 
> impersonate other users. Alternatively I think we'd need to configure hdfs to 
> be able to proxy other users. I'm not really sure what the best practice 
> should be, but it should be documented since it wasn't needed in the past.



--
This message was sent by Atlassian JIRA
(v6.2#6252)