[
https://issues.apache.org/jira/browse/HDFS-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14076928#comment-14076928
]
Brandon Li edited comment on HDFS-6717 at 7/28/14 9:41 PM:
---
[~dscheffy], you are right that root group needs to be added to the the value
of hadoop.proxyuser.nfsserver.groups. The change in the patch was focusing on
answering who is proxy user, who should start NFS gateway and etc.
Based on your last comment, I think we should also add some description saying
group 'root' should be added to hadoop.proxyuser.nfsserver.groups in most
Linux platforms where root privilege is by default required to mount NFS
exports.
Please let me know if there is any unclear description in the doc and I will
fix it.
was (Author: brandonli):
[~dscheffy], you are right that root group needs to be added to the the value
of hadoop.proxyuser.nfsserver.groups. The change in the patch was focusing on
answering who is proxy user, who should start NFS gateway and etc.
Based on your last comment, I think we should also add some description saying
group root should be added to hadoop.proxyuser.nfsserver.groups in most
Linux platforms where root privilege is by default required to mount NFS
exports.
Please let me know if there is any unclear description in the doc and I will
fix it.
Jira HDFS-5804 breaks default nfs-gateway behavior for unsecured config
---
Key: HDFS-6717
URL: https://issues.apache.org/jira/browse/HDFS-6717
Project: Hadoop HDFS
Issue Type: Sub-task
Components: nfs
Affects Versions: 2.4.0
Reporter: Jeff Hansen
Assignee: Brandon Li
Priority: Minor
Fix For: 2.5.0
Attachments: HDFS-6717.001.patch, HdfsNfsGateway.html
I believe this is just a matter of needing to update documentation. As a
result of https://issues.apache.org/jira/browse/HDFS-5804, the secure and
unsecure code paths appear to have been merged -- this is great because it
means less code to test. However, it means that the default unsecure behavior
requires additional configuration that needs to be documented.
I'm not the first to have trouble following the instructions documented in
http://hadoop.apache.org/docs/r2.4.0/hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html
I kept hitting a RemoteException with the message that hdfs user cannot
impersonate root -- apparently under the old code, there was no impersonation
going on, so the nfs3 service could and should be run under the same user id
that runs hadoop (I assumed this meant the user id hdfs). However, with the
new unified code path, that would require hdfs to be able to impersonate root
(because root is always the local user that mounts a drive). The comments in
jira hdfs-5804 seem to indicate nobody has a problem with requiring the
nfsserver user to impersonate root -- if that means it's necessary for the
configuration to include root as a user nfsserver can impersonate, that
should be included in the setup instructions.
More to the point, it appears to be absolutely necessary now to provision a
user named nfsserver in order to be able to give that nfsserver ability to
impersonate other users. Alternatively I think we'd need to configure hdfs to
be able to proxy other users. I'm not really sure what the best practice
should be, but it should be documented since it wasn't needed in the past.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
