[
https://issues.apache.org/jira/browse/METRON-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16581378#comment-16581378
]
ASF GitHub Bot commented on METRON-1738:
----------------------------------------
Github user mmiklavc commented on the issue:
https://github.com/apache/metron/pull/1166
@merrimanr - just for clarification on the directory permissions:
**Non-Kerberized**
- storm:hadoop, 0775
- Storm impersonation does not work
- Storm runs the topology, so it has rwx (7)
- Metron needs to read/write for the input dir and writing out the results
(cli query, rest/ui query). It's a member of the `hadoop` group, so using that
group with 0775 enables the required access.
```
groups metron
metron : hadoop
```
**Kerberized**
- metron:hadoop, 0755
- Impersonation works for Storm here
- metron runs the topology and has rwx (7) access
- hadoop no longer needs write access bc of impersonation
I compared this to what we do with indexing and I think we have 1 small
gap. When starting from non-kerberized, and then adding kerberization, the
perms will be looser than desired because any member of `hadoop` will still be
able to write.
https://github.com/apache/metron/blob/master/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/indexing_master.py#L78
> Pcap directories should have correct permissions
> ------------------------------------------------
>
> Key: METRON-1738
> URL: https://issues.apache.org/jira/browse/METRON-1738
> Project: Metron
> Issue Type: Sub-task
> Reporter: Ryan Merriman
> Priority: Major
>
> Different permissions are required for Kerberized vs non-Kerberized
> installations.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
