[
https://issues.apache.org/jira/browse/MAPREDUCE-5571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Allen Wittenauer updated MAPREDUCE-5571:
----------------------------------------
Resolution: Won't Fix
Status: Resolved (was: Patch Available)
No consensus. Closing.
> allow access to the DFS job submission + staging directory by members of the
> job submitters group
> -------------------------------------------------------------------------------------------------
>
> Key: MAPREDUCE-5571
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-5571
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Affects Versions: 1.2.1, 2.0.5-alpha
> Environment: linux
> Reporter: bradley childs
> Attachments: HADOOP-1.2-PERM.patch, hadoop-2.0.5-perm.patch
>
>
> The job submission and staging directories are explicitly given 0700
> permissions restricting access of job submission files only to the submitter
> UID. this prevents hadoop daemon services running under different UIDs from
> reading the job submitters files. it is common unix practice to run daemon
> services under their own UIDs for security purposes.
> This bug can be demonstrated by creating a single node configuration, which
> runs LocalFileSystem and not HDFS. Create two users and add them to a
> 'hadoop' group. Start the hadoop services with one of the users, then submit
> a map/reduce job with the other user (or run one of the examples). Job
> submission ultimately fails and the M/R job doesn't execute.
> The fix is simple enough and secure-- change the staging directory
> permissions to 2750. i have demonstrated the patch against 2.0.5 (along
> with another fix for an incorrect decimal->octal conversion) and will attach
> the patch.
> this bug is present since very early versions. i would like to fix it at the
> lowest level as it's a simple file mode change in all versions, and
> localized to one file. is this possible?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
