Well yes, if you enable ACLs then you have to create the ACLs, too. :) Perhaps the issue here is that Trafodion can't get access to /hbase/archives w/o ACLs since that directory may be owned by another user in a group other than trafodion?
I'm mostly trying to document requirements and reasoning for things like this to provide "comfort" when doing installation: "during installation, Trafodion will make these changes to your environment for these reasons" is a lot better than "hey, what happened to my environment? HDFS ACLs are enabled!" Thanks, Gunnar On Thu, Feb 4, 2016 at 3:31 PM, Amanda Moran <[email protected]> wrote: > # NOTE: These command must be done AFTER acls are > # enabled and HDFS has been restarted > echo "***INFO: Setting HDFS ACLs for snapshot scan support" > sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -mkdir -p /hbase/archive" > if [ $? != 0 ]; then > echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -mkdir -p /hbase/archive) > command failed" > exit -1 > fi > sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -chown hbase:hbase > /hbase/archive" > if [ $? != 0 ]; then > echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -chown hbase:hbase > /hbase/archive) command failed" > exit -1 > fi > sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m > user:$TRAF_USER:rwx /hbase/archive" > if [ $? != 0 ]; then > echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m > user:$TRAF_USER:rwx /hbase/archive) command failed" > exit -1 > fi > sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m > default:user:$TRAF_USER:rwx /hbase/archive" > if [ $? != 0 ]; then > echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m > default:user:$TRAF_USER:rwx /hbase/archive) command failed" > exit -1 > fi > sudo su hdfs --command "$HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m mask::rwx > /hbase/archive" > if [ $? != 0 ]; then > echo "***ERROR: ($HADOOP_BIN_PATH/hdfs dfs -setfacl -R -m mask::rwx > /hbase/archive) command failed" > exit -1 > fi > > > Here is the code that needs ACLS to be set to true. Maybe this helps ... :) > > On Thu, Feb 4, 2016 at 2:26 PM, Gunnar Tapper <[email protected]> > wrote: > >> Hi, >> >> I noticed that Trafodion requires that dfs.namenode.acls.enabled is set >> to true. The reason for this seems to be a desire to do a set setfacl on >> hbase/archive. >> >> Is this a true requirement or an embedded best practices? >> >> I'm wondering since we're now imposing security policies on the user even >> if the user has chosen to rely on the traditional POSIX permission model >> over implementing the extended POSIX ACL model. Also, how does this HDFS >> configuration flag relate to a user that is using Kerberos? >> >> -- >> Thanks, >> >> Gunnar >> *If you think you can you can, if you think you can't you're right.* >> > > > > -- > Thanks, > > Amanda Moran > -- Thanks, Gunnar *If you think you can you can, if you think you can't you're right.*
